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1. Forward 

This document is an industry specification that enables trust in computing platforms in general. 

This specification defines a trusted Subsystem that is an integral part of each platform, and provides 
functions that can be used by enhanced operating systems and applications. The Subsystem employs 
cryptographic methods when establishing trust, and while this does not in itself convert a platform into a 
secure computing environment, it is a significant step in that direction. 

Standardization is necessary so that the security and cryptographic community can assess the 
mechanisms involved, and so that customers can understand and trust the effectiveness of new features. 
Manufacturers will compete iathe marketplace by installing Subsystems with varying capabilities and cost 
points. The Subsystem itself will have basic functions that maintain privacy, yet support the identity and 
authentication of entities such as the platform, the user, and other entities. The Subsystem will have other 
capabilities to protect data and verify certain operational aspects of the platform. It can be a separate 
device or devices, or it can be integrated into some existing component or components provided the 
implementation meets the requirements of this specification. This is necessary to achieve the 
fundamental goal of ubiquity. 

Please note a very important distinction between different sections of text throughout this document. 
Beginning in chapter 2, "The Trusted Platform Subsystem," you will encounter two distinctive kinds of text: 
informative comment and normative statements. Because most of the text in this specification will be of 
the kind normative statements, the authors have informally defined it as the default and, as such, have 
specifically called out text of the kind informative comment. They have done this by flagging the beginning 
and end of each informative comment and highlighting its text in gray. This means that unless text is 
specifically marked as of the kind informative comment, you can consider it of the kind normative 
statements. 

The key words "MUST," "MUST NOT," "REQUIRED," "SHALL," "SHALL NOT," "SHOULD," "SHOULD 
NOT," "RECOMMENDED," "MAY," and "OPTIONAL" in the chapters 2-10 normative statements are to be 
interpreted as described in [RFC-2119]. 

For example: ✓ 




This is the first paragraph of one or more paragraphs (and/or sections) containing the text of the kind 
normative statements ... 



To understand the TCPA specification the user MUST read the specification. (This use of MUST indicates 
a keyword usage and requires an action). 
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2. The Trusted Platform Subsystem 



2.1 Introduction 




2.2 Roots of Trust 
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2.2.1 Definitions 

Root of Trust for Measurement (RTM) 

The point from which all trust in the measurement process is predicated. The RTM contains many 
components to provide this level of trust. The design document shows that the RTM includes a core 
component, the computing engine to run the core component, physical connections of the core and the 
computing engine and other items. 

Core Root of Trust for Measurement (CRTM) 

The component of the RTM from which the platform begins execution of its trusted state. 
Root of Trust for Reporting (RTR) 

The point from which all trust in reporting of measured information is predicated. 
Root of Trust for Storing (RTS) 

The point from which all trust in Protected Storage is predicated. 

2.2.2 Instantiations and Trust Bindings 
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TPM contents 



Asymmetric key generation 



Asymmetric encryption co-processor 



Computing engine 



Hmac 





Hash 




KNG 



TPM-owner memory 



entity-owner memory 



Nonce 
Auth handle 
Digest 

Ephemera! secret 



Nonce 
Auth handle 
Digest 

Ephemeral secret 



memory 



PCRs (DWORDs) 



Parent key (2048b) 
Child key (2048b) 
Scratch pad 



PlatformConfigurationRegisterO 



PlatformConfigurationRegister7 



Non-volatile memory 



Keys 

Private endorsement (2048b) 
StorageRootKey (2048b) 
Maintenance (2048b) 
TPME-identity-key (2048b) 

Authorisation (160b) 
Owner 

Flags 

KillMaintenance 

DisableOwnerReset 

TPMStaticDisable 

RNG-state-register (variable) 
Data-integrity-register (DWO)U)) 
MAC-secret (variable) 

Programs (variable, large) 



A Trusted Platform SHALL include the following: 

• at least one root of trust for measuring integrity metrics,- 

• exactly one root of trust for storing and reporting integrity metrics, 

• at least one Trusted Platform Measurement Store, 

• at least one TCPA Validation Data, and 

• exactly one Trusted Platform Agent. 



The Endorsement Key is transitively bound to the Platform via the TPM as follows: 

1. An Endorsement Key is bound to one and only one TPM (i.e., there is a one to one correspondence 
between an Endorsement Key and a TPM.) 

2. A TPM is bound to one and only one Platform, (i.e., there is a one to one correspondence between a 
TPM and a Platform.) 

3. Therefore, an Endorsement Key is bound to a Platform, (i.e., there is a one to one correspondence 
between an Endorsement Key and a Platform.) 

An instantiation of the root of trust for measuring integrity metrics, while acting as the root of trust for 
measuring integrity metrics, SHALL do the following: 

• execute no programs other than those intended by the entity that vouches for the root of trust for 
measuring integrity metrics, 

• be resistant to the forms of software attack and to the forms of physical attack implied by the 
platform's Protection Profile, 

• accurately measure at least one integrity metric that indicates the software environment of a platform, 
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• * accurately record measured integrity metrics to a root of trust for storing and reportinq intearitv 

metrics, and ~ y y 

• accurately record details of the process of measuring all its integrity metrics to a Trusted Platform 
Measurement Store. 

An instantiation of the root of trust for storing and reporting integrity metrics SHALL do the following: 

• be resistant to all forms of software attack and to the forms of physical attack implied by the platform's 
Protection Profile, 

• accept recording of measured integrity metrics, and 

• supply an accurate digest of all sequences of presented integrity metrics. 

An instantiation of a Trusted Platform Measurement Store SHOULD do the following: 

• accurately accept, store and supply details of at least one process of measuring an integrity metric. 

An instantiation of the repository for TCPA Validation Data SHOULD do the following: 

• accurately store and supply a predicted value of at least one integrity metric. 



An instantiation of the Trusted Platform Agent SHOULD do the following: 



• obtain and supply an accurate report from the root of trust for storing and reporting integrity metrics of 
at least one sequence of integrity metrics in a form that prevents misrepresentation of that sequence 
or its source, 

• obtain and supply an accurate report from a Trusted Platform Measurement Store of at least one set 
of details describing the measurement of an integrity metric, and 

• obtain and supply an accurate report from the repository for TCPA Validation Data of at least one 
predicted value of an integrity metric 

2.3 Integrity Operations 
2.3.1 Storage of Integrity Metrics 
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7 , ■ »K a i QrP minted to a TPM SHALL be stored inside that TPM in a way that prevents 
SSSSIS* .JESSIL™ ft, sequence in which ,he y we,e preyed. 

2.3.2 Reporting of Integrity Metrics 
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Sequences of integrity metrics reported by the TPM SHALL be reported by that TPM in a Way that 
prevents misrepresentation of the sequences and prevents misrepresentation of the reporting TPM 

2.4 Use of Keys Associated With TPM Identities 




It MUST be possible to reliably distinguish between the private key of a TPM identity and other keys. 

y A key that is distinguished as the private key of a TPM identity SHALL NOT be used to generate a digital 
^ signature value over data that could mimic the output of a TCPA protected capability. 

A TPM SHALL NOT use a key that is distinguished as the private key of a TPM identity except during the 
part of a TCPA "protected capability" whose specification permits and/or requires the use of a TPM 
identity. 

When signing on behalf of a TPM identity during the part of. a TCPA protected capability whose 
specification requires the signature of a TPM identity, a TPM SHALL NOT use a key other than one that 
is distinguished as the private key of a TPM identity. 

2.5 Cryptographic Operations 

WSen 
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No operation outside the TPM SHALL affect the security of the TPM, only the ability of the TPM to 
operate. TCPA Operations are classified as: 



Protected Operations 
Unprotected Operations 
Connection Operations 



Operations affecting the security properties of TCPA. These are 
TPM Operations. These begin with TPM_ 

Operations supporting the protected operations. These are 
normally implemented outside the TPM. This begin with TSS_ 

Operations affecting the connection of the platform to the TPM. 
These are typically defined in the Platform Specific 
specifications. These begin with TSQ_. 
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3. Protection 
3.1 Introduction 



^^^^^^^^^^^^ 



ill 
III 
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For the purposes of the "Projection" section of the specification: the threats, that, MUST be considered 
when determining whether the platform facilitates subversion of TCPA-protected capabilities or data in 
TCPA-shielded locations SHALL include the methods inherent in physical attacks that should fail If the 
platform complies with its protection profile, and SHALL include all methods that require execution of 
instructions in a computing engine in the platform. 



3.3 Integrity 




A platform SHALL NOT facilitate the alteration of TCPA-protected capabilities or data in TCPA-shielded 
locations, except by TCPA-protected capabilities. 



3.4 Privileged Access 




A platform SHALL NOT facilitate the disclosure or the exposure of data in TCPA-shielded locations 
except to TCPA-protected capabilities. 



3.5 Side effects 




The implementation of a TCPA-protected capability in a platform SHALL NOT facilitate the disclosure or 
the exposure of data in TCPA-shielded locations except by means unavoidably inherent in the TCPA 
definition. 
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4. Structures and Defines 




4.1.1 Endness of Structures 

Each structure MUST use big endian bit ordering, which follows the Internet ^standard and requires that 
the low-order bit appear to the far right of a word, buffer, wire format, or other area and the high-order bit 
appear to the far left. 

4.1.2 Byte Packing 

All structures MUST be packed on a byte boundary. 

4.1.3 Lengths 

The "Byte" is the unit of length when the length of a parameter is specified. 
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4.2 Defines 




4.2.1 Basic data types 
Parameters 



Typedef 


Name 


Description 


unsigned char 


BYTE 


Basic byte used to transmit all character fields. 


unsigned char 


BOOL, 


TRUE/FALSE field. TRUE = 0x01, FALSE = 0x00 


unsigned short 


UINT16 


16 bit field. The definition in different architectures may 
need to specify 16 bits instead of the short definition 


unsigned long 


UINT32 


32 bit field. The definition in different architectures may 
need to specify 32 bits instead of the long definition 



4.2.2 Boolean types 



Name 


Value 


Description' 


TRUE 


0x01 


Assertion 


FALSE 


0x00 


Contradiction 



4.2.3 Helper redefinitions 

The following definitions are to make the IDL definitions more explicit and easier to read. 
Parameters 



Typedef 


Name 


Description 


UINT32 


TCPA_PCRINDEX 


Index to a PCR register 


UINT32 


TCPAJDIRINDEX 


Index to a DIR register 


UINT32 


TC PA_AUTHHANDLE 


Handle to an authorization session 


UINT32 


TSS_HASHHANDLE 


Handle to a hash session 


UINT32 


TSS_HMACHHANDLE 


Handle to a HMAC session 


UINT32 


TCPA_ENCHANDLE 


Handle to a encryption/decryption session 


UINT32 


TCPA_KEY_HANDLE 


The area where a key is held assigned by the TPM. 


UINT32 


TCPA_RESULT 


The return code from a function 
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4.2.4 Enumerated Helper redefinitions 



Typedef 


Name 


Description 


UINT32 


TCPA_COMMAND_CODE 


The command ordinal. See 4.33 


UINT16 


TC PA_PROTOCOL_ I D 


The protocol in use. See 4.17 


UINT32 ! 


TCPA_EVENTTYPE 


Type of PCR event, bee 4.^o.^ 


BYTE 


TCPA_AUTH_DATA_USAGE 


Indicates the conditions where it is required that 
authorization be presented. See 4.1 1 


UNIT16 


TCPA_ENTITY_TYPE 


Indicates the^ypes of entity that are supported by the 
TPM. See 4.15 


UNIT32 


TCPA ALGOR I THM_ I D 


Indicates the type of algorithm. See 4.18 


UNIT16 


T C PA_KE Y_U SAGE 


Indicates the permitted usage of the key. See 4.10 


UINT16 


TCPA_STARTUP_JTYPE 


Indicates the start state. See 4.16 


UINT32 


TC PA__CAPAB ILI TY_AREA 


Identifies a TPM capability area. See 4.31 


UINT16 


TC PA_EN C_S CH EM E 


The definition of the encryption scheme. See 8.4 


UINT16 


TCPAJS I G_SCHEME 


The definition of the signature scheme. See 8.5 
^ — 


UINT16 


TCPA_MIGRATE_SCHEME 


The definition of the migration scheme 4.22 


UINT16 


TCPA_PHYSICAL_PRESENCE 


Sets the state of the physical presence mechanism. See 
section 4.19 


UINT32 


TCPA_KEY_FLAGS 


Indicates information regarding a key. See 4.12 
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The following defines allow for the quick specification of a vendor specific item. 
Parameters 



Name 


Value 


TCPA_Vendor_Specif ic32 


0x80000000 


TCPAVendor Specif icl 6 


0x8000 


TCPA Vendor Specif ic8 


0x8 0 
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4.3 Return codes 




Description 

When a command fails for ANY reason, the TPM MUST return only the following three items: 

• TPM_TAG_RQU_COMMAND (2 bytes) 
. ParamLength(4 bytes, fixed at 1 0) 

• Return Code (4 bytes, never TCPA_SUCCESS) 

If a return code is mandated by the action list of a command the TPM MUST return that error code. All 
commands MAY return TPM_FAIL, where there is a more descriptive error code the TPM SHOULD use 
the more descriptive error code. 

The return code MUST be chosen from the following list. 
Parameters 



Name 


Value 


Description 


TCPA__BASE 


0x0 


The start of TCPA return codes 


TCPA_SUCCESS 


TCPAJBASE 


Successful completion of the operation 


TCPA_VENDOR_ERROR 


TCPA_BASE + 
TCPA VendorJSpec 
if ic32 


These error codes are vendor specific for 
vendor specific commands. 


TCPA_AUTHFAIL 


TCPAJBASE + 1 


Authentication failed 


TCPA_BAD INDEX 


TCPA_BASE + 2 


The index to a PCR, DIR or other register is 
incorrect 


TCPA_BAD_PARAMETER 


TCPAJBASE + 3 


One or more parameter is bad 


TC PA_AUD I T FA I LURE 


TCPA_BASE + 4 


An operation completed successfully but the 
auditing of that operation failed. 


TCPA_CLEAR_DI SABLED 


TCPA_BASE + 5 


The clear disable flag is set and all clear 
operations now require physical access 


TCPA_DEACTIVATED 


TCPA_BASE + 6 


The TPM is deactivated 


TCPA_DISABLED 


TCPA_BASE + 7 


The TPM is disabled 


TCPA DISABLED_CMD 


TCPA_BASE + 8 


The target command has been disabled 


TCPA_FAIL 


TCPA_BASE + 9 


The operation failed 


TCPA_INACTIVE 


TCPA_BASE + 10 


The TPM is inactive 
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TC PA_ INS TALL_D I SAB LED 


TCPA_BASE +11 


The ability to install an owner is disabled 


TC PA_ I NVAL I D__KEYHANDL 
E 


TCPAJBASE +12 


The key handle presented was invalid 


TC PA_KE YNOTFOUND 


TCPA_BASE + 13 


The target key was not found 


TCPA_NEED_SELFTEST . 


..TCPAJBASE + 14 - 


The capability requires an untested function; 
additional self-test is required before the 
capability may execute. 


TCPA_MIGRATEFAIL 


TCPAJBASE +15 


Migration authorization failed 


TCPA_NO_PCR_INFO 


TCPA_BASE +16 


A list of PGR values was not supplied 


TCPA_NOSPACE 


TCPAJBASE +17 


No room to load key. 


TCPA_NOSRK 


TCPA_BASE +18 


There is no SRK set 


T C P A__N O T S EALi E D_B LOB 


TCPA_BASE + 19 


An encrypted blob is invalid or was not created 
by this TPM 


TCPA OWNER SET 


TCPA BASE + 2 0 


There is already an Owner 


TCPA_RESOURCES 


TCPA_BASE +21 


The TPM has insufficient internal resources to 
perform the requested action. 


TCPA_SHORTRANDOM 


TCPA__BASE + 2 2 


A random string was too.^hort 


TCPA_SIZE 


TCPA_BASE +23 


The TPM does not have the space to perform 
the operation. 


TCPA_WRONGPCRVAL 


TCPA_BASE +24 


The named PCR value does not match the 
current PCR value. 


TCPA_BUSY 


TCPA_BASE +25 


The TPM is too busy to respond to the 
command 


T"^ "D A CTJ 7\ TUDP7VH 


iLKA BAi^li + <£ o 


There is no existing SHA-1 thread. 


TCPA_SHA_ERROR 
• 


TCPAJBASE +27 


The calculation is unable to proceed because 
the existing SHA-1 thread has already 
encountered an error. 


TCPA_FAILEDSELFTEST 


TCPA_BASE +28 


Self-test has failed and the TPM has shutdown. 


TCPA_AUTH2FAIL 


TCPA_BASE +29 


The authorization for the second-key in a 2 key 
function failed authorization 


TCPA BADTAC5 


TCPA RA^T? + 10 

1 v. tr r\ Dno n t _> L/ 


\ ne iag vaiue seni io Tor a commano is invaiia 


TCPA IOFRRDR 

J. v_ IT r\ J. \J SZjI\I\\-/ i\ 


TCPA + 11 


An 10 error occurred transmitting information to 
the TPM 


TCPA_ENCRYPT_ERROR 


TCPA_BASE + 32 j 


The encryption process had a problem. 


TCPA_DECRYPT_ERROR 


TCPA_BASE +33 


The decryption process did not complete. 


TC PA_ I NVAL I D_AUTHHAND 
LE 


TCPA_BASE +34 


The auth handle was invalid 


TCPA_NO_ENDORSEMENT 


TCPAJ3ASE + 35 


The TPM does not a EK installed 


TC PA_ I NVAL I D_KE YU SAGE 


TCPA_BASE +36 


The usage of a key is not allowed 


TCPA_WRONG_ ENTITY TYPE 


TCPAJBASE +37 


The submitted entity type is not allowed 


TCPA INVALID POSTINIT 


TCPA BASE +38 


The command was received in the wrong 
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sequence relative to TPMJnit "and a 
subsequent TPM_Startup 
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4.4 Command Specification Table Description 
4.4.1 introduction, Definition of Terms 

• The parameter order column (PARAM) lists the order in which the parameters must be added to the 
input or output array and their respective size. If this entry in the column is blank, then that parameter 
is not sent to the TPM driver. 

• <> in size column means that the size of the element is defined by the appropriate input parameter 
(sizelnData controls inData). Where an explicit input 'size' parameter exists, it has been moved to 
immediately precede the array to which it refers so that there is no confusion. 

• When a null terminated string is included in a calculation, the terminating null SHALL NOT be 
included in the calculation. 

• The following rules concerning byte ordering within a parameter are consistent with Section 4.1 and 
follow Internet standards: 

1. Elements of a structure are marshaled in the order in which they appear in the document. 

2. Byte arrays are marshaled starting with index 0, followed by index 1, and so on. 

3. Integer types are marshaled most significant byte first. 

4. No padding bytes are to be inserted at any point. 

5. Bit ordering within the byte is determined by the IO channel in use. \ 

• Parameters are marshaled into the input or output arrays according to the following order: 

1. Tag specifier 

2. Array length, including tag and length specifier bytes 

3. Command ordinal and/or return code 

4. Key handles 

5. Remaining fixed length parameters 

6. Remaining variable length parameters (with their size parameter) 

7. If applicable, First authorization 'setup (authHandle - input only, then nonce, then 
continueUse) 

8. If applicable, First Authorization digest 

9. If applicable, Second authorization setup 

10. If applicable, Second authorization digest 

4.4.2 HMAC Calculation for Authorization 

• All authorized parameters other than the authorization setup parameters (authHandle, nonces and 
continueUse) are hashed using SHA-1. This digest, referred to as <paramDigest> throughout this 
document, is HMAC'd with the authorization setup parameters to form the authorization digest. 

• Where there are two authorization sessions within a single command (changeAuth, etc.) the two 
HMACs are computed using the common <paramDigest> but their respective setup parameters only. 

1. AuthDigestl = HMAC( <paramDigest>, EvenNoncel, OddNoncel, continueUsel ) 

2. AuthDigest2 = HMAC( <paramDigest>, EvenNonce2, OddNonce2, continuellse2) 

• The comment after the HMAC authorization digest includes the source of the HMAC key for the 
digest. If the authorization session is of type OSAP, then the actual key is the sharedSecret that was 
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derived from the secret listed in the comment. For OIAP sessions, the HMAC key is the listed secret 
directly. 

• In the tables below, the order of computation of the SHA1 hash and HMACs are shown in the HMAC 
column. The subscript 'S' refers to parameters that are hashed together using SHA1 to form 
<paramDigest>. The subscripts 'H1' & 'H2* refer to parameters that are HMAC'd to form the first and 
second authorization digests. 

• Note that as the first element to the HMAC calculation is <paramDigest>, HMAC element numbers 
start with 2 in all cases below. 

• In all cases, both input and output, the HMAC calculation uses the following order: 

1. <paramDigest> 

2. Even nonce (generated by TPM) 

3. Odd nonce (generated by system) 

4. ContinueUse 



4.4.3 Parameter List Tag Identifiers 



Tag 


Name 


Description 


OxOOCI 


TPM_TAG_RQU_COMMAND 


A command with no authentication. \ 


0x00C2 


TPM_TAG_RQU_AUTH1_COMMAND 


An authenticated command with one 
authentication handle 


OxOOC3 


TPM_TAG_RQU_AUTH2_COMMAND 


An authenticated command with two 
authentication handles 


0x00C4 


TPM_TAG_RSP_COMMAND 


A response from a command with no 
authentication 


OxOOCS 


TPM_TAG_RSP_AUTH1_COMMAND 


An authenticated response with one 
authentication handle 


0x00C6 


TPM_TAG_RSP_AUTH2_COMMAND 


An authenticated response with two 
authentication handles 
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4.5 TCPA_VERSION 




IDL Definition 

typedef struct tdTCPA_VERSION { 

BYTE major; 

BYTE minor; 

BYTE revMajor; 

BYTE revMinor; 
} TCPA_VERSION; 



Parameters 



Type 


Name 


Description 


BYTE 


ma j or 


This SHALL be the major version indicator. For version 1 this MUST be 0x01 


BYTE 


minor 


This SHALL be the minor version indicator. For version 1 this MUST be 0x01 


BYTE 


revMa j or 


This SHALL be the value of the TCPA_PERSISTENT_DATA -> revMajor 


BYTE 


revMinor 


This SHALL be the value of the TCPA_PERSISTENT_DATA -> revMinor 



Descriptions 

The version points to the version of the specification that defines the structure. 

If the validity of a structure depends on conformity to a version of the specification and/or to a version of 
the TPM, that structure SHALL include the current instance of TCPA_ VERSION 



Version 1.1a 1 December 2001 



TCPA Main Specification 



Page 26 



4.6 TCPA_DIGEST 




Definition 

typedef struct tdTCPA_DIGEST{ 

BYTE digest [digestSize] ; 
} TCPA_DIGEST; 



Parameters 



Type 


Name 


Description 


BYTE 


digest 


This SHALL be the actual digest information 



Description 

The digestSize parameter MUST indicate the block size of the algorithm and MUST be 20 or greater. ^ 
For all TCPA v1 hash operations, the hash algorithm MUST be SHA-1 and the digestSize parameter is 
therefore equal to 20. 
Redefinitions 



Typedef 


Name 


Description 


TCPA__DIGEST 


TCPA_PCRVALUE 


The value inside of the PCR 


TCPA_DIGEST 


TCPA_COMPOSITE_HASH 


This SHALL be the hash of a list of PCR indexes 
. and PCR values that a key or data is bound to (See 
10.4.5 for details) 


TCPA_DIGEST 


TC PA__D I RVALUE 


This SHALL be the value of a DIR register 


TCPA_DIGEST 


TCPA_HMAC 




TCPA_DIGEST 


TCPA_CHOSENID_HASH 


This SHALL be the digest of the chosen 
identityLabel and privacyCA for a new TPM identity. 
See 10.4.6 for details. 
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4.7 TCPA_NONCE 




Definition 

typedef struct tdTCPA_NONCE { 
BYTE nonce [20] ; 
} TCPA_NONCE; 



Parameters 



Type 


Name 


Description 


BYTE 


nonce 


This SHALL be the 20 bytes of random data. When created by the TPM 
the value MUST be the next 20 bytes from the RNG. 
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4.8 TCPA_AUTHDATA 




Definition 

typedef BYTE tdTCPA_AUTHDATA[20]; 

Parameters 

None. 

Descriptions 

When sending authorization data to the TPM the TPM does not validate the decryption of the data. It is 
the responsibility of the entity owner to validate that the authorization data was properly received by the 
TPM. This could be done by immediately attempting to open an authorization session. 

The owner of the data can select any value for the data 

Redefinitions 



Typedef 


Name 


Description 


TC P A__AUTH DATA 


TCPA_SECRET 


A secret plaintext value used in the authorization process. 


TC P A__ AU TH DA TA 


TCPA_ENCAUTH 


A ciphertext (encrypted) version of authorization data. The 
encryption mechanism depends on the context. 
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4.9 TCPA_KEY_HANDLE_L!ST 




IDL Definition 

typedef struct tdTCPA_KEY_HANDLE_LIST { 
UINT16 loaded; 

[size_is (loaded) ] TCPA_KEY_HANDLE handle t] ; 
} TCPA_KJEY_HANDLE_LIST; 



Parameters 



Type 


Name 


Description 


UINT16 


loaded 


The number of keys currently loaded in the TPM. 


UINT32 


handle 


An array of handles, one for each key currently loaded in the TPM 



Description 

The order in which keys are reported is manufacturer-specific. 
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4.10 TCPA_KEY_USAGE values 




Name 


Value 


Description 


T PM_KEY_S IGNING 


0x0010 


This SHALL indicate a signing key. The [private] key SHALL be 
used for signing operations, only. This means that it MUST be a 
leaf of the Protected Storage key hierarchy. 


TPM_KEY_STORAGE 


0x0011 


This SHALL indicate a storage key. The key SHALL be used to 
wrap and unwrap other keys in the Protected Storage hierarchy, 
only. 


TPM_KEY_I DENTI TY 


0x0012 


This SHALL indicate an identity key. The key SHALL be used for 
operations that require a TPM identity, only. 


TPM_KEY_AUTH CHANGE 


0X0013 


This SHALL indicate an ephemeral key that is in use during the 
ChangeAuthAsym process, only. 


TPM_KEY_BIND 


0x0014 


This SHALL indicate a key that can be used for TPM_Bind and 
TPM_Unbind operations only. 


TPM_KEY_LEGACY 


0x0015 


This SHALL indicate a key that can perform signing and binding 
operations. The key MAY be used for both signing and binding 
operations. The TPM_KEY_LEGACY key type is to allow for use 
by applications where both signing and encryption operations 
occur with the same key. The use of this key type is deprecated. 
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4.10.1 Mandatory Key Usage Schemes 

The key usage value for a key determines the encryption and / or signature schemes which MUST be 
used with that key. The table below maps the schemes defined by this specification to the defined key 
usage values. See sections 8.4 and 8.5. 




Name 


ANowed Encryption schemes 


Allowed Signature Schemes 


T PM_ K_EY_ S I GN ING 


TCPA_ES_NONE 


TCPA_SS_RSASSAPKCS1v15_SHA1 
TCPA_SS_RSASSAPCKS1 V1 5_DER 


TPM_KEY_STORAGE 


TCPA_ES_RSAESOAEP_SHA1_MGF1 


TCPA_SS_NONE 


TPM_KEY_ ID ENTITY 


TCPA_ES_NONE 


TCPA_SS_RSASSAPKCS1v15_SHA1 


TPM_KEY_AUTH CHANGE 


TCPA_ES_RSAESOAEP_SHA1_MGF1 


TCPA_SS_NONE 


TPM_KEY_BIND 


TCPA_ES_RSAESOAEP_SHA1_MGF1 
TCPA_ES_RSAESPKCSV15 


TCPA_SS_NONE 


T PM_ KEY_L EGA C Y 


TCPA_ES_RSAESOAEP_SHA1_MGF.1 
TCPA_ES_RSAESPKCSV15 


TCPA_SS_RSASSAPKCS1v15_SHA1 
TCPA_SS_RSASSAPKCStV15_DER 



Where manufacturer specific schemes are used, the strength must be at least that listed in the above 
table for TPM_KEY_STORAGE, TPM_KEY_ IDENTITY and TPM_KEY_AUTHCHANGE key types. 
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4.11 TCPA_AUTH_DATA_USAGE values 




Name 


Value 


Description 


TPM_AUTH_NEVER 


0x00 


This SHALL indicate that usage of the key without authorization is 
permitted. 


TPM_AUTH__ALWAY S 


0x01 


This SHALL indicate that on each usage of the key the 
authorization MUST be performed. 






All other values are reserved for future use. 
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4.12 TCPA_KEY FLAGS 




TCPA KEY FLAGS Values 



Name 


Mask Value 


Description 


redirection 


0x00000001 


This mask value SHALL indicate the use of redirected output. 


migratable 


0x00000002 


This mask value SHALL indicate that the key is migratable. 


volatileKey 


0x00000004 


This mask value SHALL indicate that the key MUST be unloaded 
upon execution of the TPMJnit/TPM_Startup sequence. 



The value of TCPA_KEY_FLAGS MUST be decomposed into individual mask values. The presence of a 
mask value SHALL have the effect describedin the above table 
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4.13 Flags and persistent data structures 
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4.13.1 TCPA persistent data 




IDL Definition 



typedef struct tdTCPA_PERSISTENT_DATA{ 

BYTE revMajor; 

BYTE revMinor; 

TCPA_NONCE tpmProof ; 

TCPA_PUBKEY manuMaintPub; 

TCPA_KEY endorsementKey; 

TCPA_SECRET ownerAuth; 

TCPA_KEY srk; 

TC PA_D I RVALUE * d i r ; 

BYTE* rngState,- 

BYTE ordinalAuditStatus; 
}TCPA__PERSISTENT_DATA; 

Type 

These data exist in TPM shielded-locations, only, and SHALL be non-volatile Other TCPA data MAY be 

persistent, except when specifically prohibited (by an IsVolatile flag, for example) 

Description 

Types of Persistent Data 



Type 


Name 


Description 


BYTE 


revMajor 


This is the TPM major revision indicator. This SHALL be 
set by the TPME, only. The default value is 
manufacturer-specific. 


BYTE 


revMinor 


This is the TPM minor revision indicator. This SHALL be 
set by the TPME, only. The default value is 
manufacturer-specific. 


TCPA_ NONCE 


tpmProof 


This is a random number that each TPM maintains to 
validate blobs in the SEAL and other processes. The 
default value is manufacturer-specific. 


TCPA_PUBKEY 


manuMaintPub 


This is the manufacturer's public key to use in the 
maintenance operations. The default value is 
manufacturer-specific. 


TCPA_KEY 


endorsementKey 


This is the TPM's endorsement key pair. See 9.2. The 
default value is manufacturer-specific. 


TCPA_SECRET 


ownerAuth 


This is the TPM-Owner's authorization data. See 5.11.1. 
The default value is manufacturer-specific. 


TCPA_KEY 


srk 


This is the TPM's StorageRootKey. See 5.11.1. The 
default value is manufacturer-specific. 


TCPA_DIRVALUE* 


dir 


These are the DatalntegrityRegisters. There MUST be 
at least one DIR. See, for example, 6.3.4. The default 
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value of a DIR is zero. 


BYTE* i 


rngState 


State information describing the random number 
generator. The default state and subsequent states are 
described in 10.5. 


B.YTEQ ... ; 


ordinalAuditStat 
us 


Table indicating which ordinals are being audited. See 
section 8.12 
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4.13.2 TCPA_PERSISTENT_ FLAGS Structure 




typedef struct tdTCPA_PERSISTENT_FLAGS{ 

BOOL disable; 

BOOL ownership; 

BOOL deactivated ; 

BOOL readPubek; 

BOOL disableOwnerClear ,- 

BOOL allowMaintenance; 

BOOL physical PresenceLi fetimeLock ; 

BOOL physicalPresenceHWEnable; 

BOOL physicalPresenceCMDEnable; 

BOOL CEKPUsed; 
} TCPA_PERSISTENT_FLAGS; 

Type 



TPM shielded location: These flags exist only in a TPM shielded-location and SHALL be non-volatile. 
Other flags MAY be persistent, except when specifically prohibited. 

Parameters 



Type 


Name 


Description 


BOOL 


disable 


The state of the disable flag. See 8.14. The default state is 
TRUE 


BOOL 


ownership 


The ability to install an owner. See 8.12.5. The default state 
is TRUE. 


BOOL 


deactivated 


The state of the inactive flag. See 8.15. The default state is 
TRUE. 


BOOL 


readPubek 


The ability to read the PUBEK without owner authorization. 
See 9.2.2. The default state is TRUE. 


BOOL 


disableOwnerClear 


Whether the owner authorized clear commands are active. 
See 8.10.6. The default state is FALSE. 


BOOL 


allowMaintenance 


Whether the TPM Owner may create a maintenance 
archive. See 7.3.1. The default state is TRUE. 


BOOL 


physi cal PresenceLi fetim 
eLock 


This bit can only be set to TRUE; it cannot be set to FALSE 
except during the manufacturing process. 

FALSE: The state of either physicalPresenceHW Enable or 
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nh\/cirGiDrDconrorMDFnahlp MAY hp rhanoed 
(DEFAULT) 

TRUE: The state of either physicalPresenceHWEnable or 
physicalPresenceCMDEnable MUST NOT be changed for 
the life of the TPM. 


BOOL 


physical PresenceHWEnabl 
e 


FALSE: Disable the hardware signal indicating physical 
presence. (DEFAULT) 

TRUE: Enables the hardware signal indicating physical 
presence. 


BOOL 


physical PresenceCMDEnab 
le 


FALSE: Disable the command indicating physical presence. 
fDFFAULT^ 

TRUE: Enables the command indicating physical presence. 


BOOL 


CEKPUsed 


TRUE: The PRIVEK and PUBEK were created using 
TPM_CreateEndorsementKeyPair. 

FALSE: The PRIVEK and PUBEK were created using a 
manufacturers process. 

NOTE: This flag has no default value as the key pair MUST 
be created by one or the other mechanism. 



Description 

The data structure TCPA_PERSISTENT_FLAGS SHALL exist in a TPM shielded-location, only, and 
SHALL be non-volatile. 

The physicalPresenceHWEnable and physicalPresenceCMDEnable flags MUST mask their respective 
signals before further processing. The hardware signal, if enabled by the physicalPresenceHWEnable 
flag, MUST be logically ORed with the PhysicalPresence flag, if enabled, to obtain the final physical 
presence value used to allow or disallow local commands. 

Actions 

1. Disable flag 

a. If disable has the value of TRUE the following commands will execute with their normal 



protections 


i. 


TPM_Reset 


ii. 


TPMJnit 


iii. 


TPM_Starlup 


iv. 


TPM_SaveState 


v. 


TPM_SHA1 Start 


vi. 


TPM_SHA1 Update 


vii. 


TPM_SHA1 Complete 


viii. 


TPM_SHA1 CompleteExtend 


ix. 


TSC_PhysicalPresence 


X. 


TPM_OIAP 


xi. 


TPM OSAP 
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xii. TPM_GetCapability 

xiii. TPM_Extend 

xiv. TPM_OwnerSetDisable 

xv. TPM_PhysicalEnable 

xvi. TPIVLContinueSelfTest 

xvii. TPM_SelfT estFuIl 

xviii. TPM_GetTestResult 

b. All other commands SHALL return TCPA.DISABLED. 

2. Ownership flag 

a. If ownership has the value of FALSE, then any attempt to install an owner falls with the error 
value TCPAJNSTALL. DISABLED. 

3. Deactivated flag 

a. This flag sets the state of TCPA_VOLATILE_FLAGS -> deactivated upon initialization. 

4. readPubek 

a. If readPubek is TRUE then the TPM__ReadPubek will return the PUBEK, if FALSE the 
command will return TCPA_DISABLED_CMD. 

5. DisableOwnerClear 

a. If disableOwnerClear is TRUE then the clear commands requiring owner authorization will 
return TCPA_ CLE AR_ DISABLED, if false the commands will execute. 
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•4.13.3TCPA_VOLATILE_FLAGS Structure 




IDL Definition 

typedef struct tdTCPA_VOLATILE_FLAGS { 

BOOL deactivated; 

BOOL disableForceClear; 

BOOL physicalPresence; 

BOOL physicalPresenceLock; 

BOOL postlnitialise; 
} TCPA_VOLATILE_FLAGS; 

Type 

TPM shielded location 



Parameters 



Type 


Name 


Description 


BOOL 


deactivated 


Prevents the operation of most capabilities. There is no 
default state. It is initialized by TPM_Startup to the same 
value as TCPA_PERSISTENT_FLAGS -> deactivated. 
TPM_SetTempDeactivated sets it to TRUE. 


BOOL 


disableForceClear 


Prevents the operation of TPM_ForceClear when TRUE. 
The default state is FALSE. TPM_DisableForceClear sets it 
to TRUE. 


BOOL 


physicalPresence 


Indicates that a User is physically present when TRUE. The 
default state is FALSE (User is not physically present) 


BOOL 


physicalPresenceLock 


Indicates whether changes to the physicalPresence flag are 
permitted. TPM_Startup/ST_CLEAR sets PhysicalPresence 
to its default state of FALSE (allow changes to 
PhysicalPresence flag). The meaning of TRUE is: Do not 
allow further changes to PhysicalPresence flag. 
TSC_PhysicalPresence can change the state of 
physicalPresenceLock. 


BOOL 


postlnitialise 


Prevents the operation of most capabilities. There is no 
default state. It is initialized by TPM Init to TRUE. 
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TPM_Startup sets it to FALSE. 



Description 

The data structure TCPA_VOLATILE_FLAGS SHALL exist only in a TPM shielded-location. 
The data structure TCPA__VOLATILE_FLAGS MAY be held in non-volatile storage. 
Actions 

1. Deactivated flag 

a. If deactivated is TRUE the following commands SHALL execute with their normal protections 

i. TPM_ Reset 

ii. TPMJnit 

iii. TPM_Startup 

iv. TPM_SaveState 

v. TPM.SHA1 Start 

vi. TPM_SHA1 Update 
viL TPM.SHA1 Complete 

viii. TPM_SHA1CompleteExtend 

ix. TSC_PhysicalPresence 

x. TPM_OIAP 

xi. TPM_OSAP 

xiL TPM_GetCapability 

xiii. TPM_TakeOwnership 

xiv. TPM_OwnerSetDisable 

xv. TPM_PhysicalDisable 

xvi. TPM_PhysicalEnable 

xviL TPM_PhysicalSetDeactivated 
xviii. TPM_ ContinueSelfTest 

xix. TPM_Sel1TestFull 

xx. TPM.GetTestResult 

b. All other commands SHALL return TCPA_ DEACTIVATED. 

2. DisableForceClear 

If disableForceCiear is TRUE then the TPM_ForceClear command returns 
TCPA_CLEAR_ DISABLED, if FALSE then the command will execute. 

3. PhysicalPresence 

If PhysicalPresence is TRUE and TCPA_PERSISTENT_ FLAGS -> physicalPresenceCMDEnable 
is TRUE, the TPM MAY assume that the Owner is physically present. If PhysicalPresence is 
FALSE, the TPM MUST assume that the Owner is physically absent. Note that this 
PhysicalPresence is exclusive of the unambiguous physical presence indication required for 
TPM_PhysicalEnable. They MAY be the same hardware signal depending on the design of the 
platform and TPM. 
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4. physicalPresenceLock 

If physicalPresenceLock is TRUE, TSC_PhysicalPresence MUST NOT change the 
physicalPresence flag. If physicalPresenceLock is FALSE, TSC_PhysicalPresence will operate. 

5. postlnitialise 

a. If postlnitialise is TRUE the following commands SHALL execute with their normal 
protections: 

i. TPM.Startup 

ii. TPM_CreateEndorsementKey 
Hi. TPM_GetCapability 

iv. TPM_ContinueSe!fTest 

v. TPM_SelfTestFull 

vi. TPN/LGetTestResult 

b. All other commands SHALL set the flag TCPA_ VOLATILE^ FLAGS -> postlnitialise to FALSE, 
set TCPA_VOLATILE_ FLAGS -> deactivated to TRUE, and return 
TCPAJNVALID_POSTINIT 
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4.14 TCPA_PAYLOAD_TYPE 




Definition 

typedef unsigned char TCPA_PAYLOAD_TYPE; 
TCPA_PAYLOAD_TYPE Values 



Value 


Name 


Comments 




0x01 


TCPA_PT_ASYM 


The entity is an asymmetric key 


0x02 


TCPA_PT_BIND 


The entity is bound data 


0x03 


TCPA_PT_ MIGRATE 


The entity is a migration blob 


0x04 


TCPA_PT_MAINT 


The entity is a maintenance blob 


0x05 


TCPA_PT_SEAL 


The entity is sealed data 


0x06- 0x7 F 




Reserved for future use by TCPA 


0x80 -OxFF " 




Vendor specific payloads 
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4.15 TCPA_ENTITY_TYPE 




TCPA_ENTITY_TYPE Values 



Value 


Event Name 


Comments 


0x0001 


TCPA_ET_KEYHANDLE 


The entity is a keyHandle 


0x0002 


TCPA_ET_OWNER 


The entity is the TPM Owner 


0x0003 


T C P A__ ET_ DATA 


The entity is some data 


0x0004 


TCPA_ET_SRK 


The entity is the SRK 


0x0005 


TCPA_ET_KEY 


The entity is a key 



Description 

For the entity type of TCPA_ET_OWNER the associated key handle MUST be 0x40000001 
For the entity type of TCPA_ET_SRK the associated key handle MUST be 0x40000000 
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4.16 TCPA_STARTUP_TYPE 




TCPA_STARTUP_TYPE Values 



Value 


Event Name 


Comments 


0x0001 


TCPA_ST_CLEAR 


The TPM is starting up from a clean state 


0x0002 


TCPA_ST_STATE 


The TPM is starting up from a saved state 


0x0003 


TCP A_ ST_ D EACTI VAT E D 


The TPM is to startup and set the deactivated flag to 
TRUE 



Version 1.1a 1 December 2001 



TCPA Main Specification 



Page 46 



4.17 TCPA_PROTOCOLJD 




typedef UINT16 TCPA_PROTOCOL_ID; 



Value 


Event Name 


Comments 


0x0001 


TCPA_PID_OIAP 


The OIAP protocol. See 5.2.1 


0x0002 


TCPA_PID_OSAP 


The OSAP protocol. See 5.2.4 


0x0003 


TCPA_PID_ADIP 


The ADIP protocol. See 5.4 


0X0004 


TCPA_PID_ADCP 


The ADCP protocol. See 5.6 


0X0005 


TCPA_PID_OWNER 


The protocol for taking ownership of a TPM. See 5.11 
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4.18 TCPA ALGORITHM ID 




Definition 

TCPA_ALGORITHMJD values 



Name 


Value 


Description 


TCPA_ ALG_ RSA 


0x00000001 


The RSA algorithm. 


TCPA_ALG_DES 


0x00000002 


The DES algorithm 


TCPA_ALG_3DES 


0X00000003 


The 3DES algorithm 


TCPA_ALG_SHA 


0x00000004 


The SHA1 algorithm 


TCPA_ ALG_ HMAC 


0x00000005 


The RFC 2104 HMAC algorithm 


TCPA_ALG_AES 


0x00000006 


The AES algorithm 



The TPM MUST support the algorithm6j~CPA_ALG_RSA, TCPA_ ALG_ SHA, TCPA_ALG__HMAC. 
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Name 


Value 


Description 


TCPA PHYSICAL_PRESENCE_LIFETIME_L 
OCK 


0x0080h 


Sets the physicalPresenceLifetimeLock 
to TRUE 


TCPA PHYSICAL_PRESENCE_HW_ENABLE 


0x0040h 


Sets the physicalPresenceHWEnable to 
TRUE 


TCPA PHYSICAL^ PRESENCE__CMD_ENABLE 


0x0020h 


Sets the physicalPresenceCMDEnable 
to TRUE 


TCPA PHYS I CAI»_PRESENCE__NOTPRESENT 


OxOOlOh 


Sets PhysicalPresence = FALSE 


TCPA PHYSICAI»_PRESENCE_PRESENT 


OxOOOSh 


Sets PhysicalPresence = TRUE 


TCPA_PHYSICAL_PRESENCE_LOCK 


0x0004h 


Sets PhysicalPresenceLock = TRUE 
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4.20 TCPA_KEY_PARMS 




Definition 



typedef struct tdTCPA_KEY_PARMS { 

TCPA_ALGORITHM_ID algorithmID; 
TCPA_ENC_SCHEME encScheme ; 
TCPA_SIG_SCHEME sigScheme; 
UINT32 parmSize; 

[size_is (parmSize) 3 BYTE* parms; 
} TCPA_KEY__PARMS ; 



Parameters 



Type 


Name 


Description 


TCPA_ALGORlTHM_ID 


algorithmID 


This SHALL be the key algorithm in use 


U1NT32 


parmSize ^ 


This SHALL be the size of the parms field in bytes 


TCPA_ENC_SCHEME 


encScheme 


This SHALL be the encryption scheme that the key uses 
to encrypt information see section 8.4 


TCPA_SIG_SCHEME 


sigScheme 


This SHALL be the signature scheme that the key uses 
to perform digital signatures see section 8.5 


BYTEQ 


parms 


This SHALL be the parameter information dependant 
upon the key algorithm. 



Descriptions 

The contents of the 'parms* field will vary depending upon algorithmld: 



Algorithm Id 


PARMS Contents 


TCPA_ALG_ RSA 


A structure of type TCPA_RSA_KEY_ PARMS 


TCPA_ALG__DES 


No content 


TCPA_ALG_3DES 


No content - Need description of key size (3 full keys etc) and mode EDE etc. 


TCPA_ALG_SHA 


No content 


TCPA_ALG_HMAC 


No content 


TCPA_ALG_AES 


No content - Need description of key size (128, 192, 256) 


4.20.1 TCPA_RSA_KEY_PARMS 
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Definition 

typedef struct tdTCPA_RSA_KEY_PARMS { 

UINT32 keyLength; 

UINT32 numPrimes ; 

UINT32 exponentSize; 

BYTE [ ] exponent; 
} TCPA_RSA_KEY_PARMS ; 



Parameters 



Type 


Name 


Description 


UINT32 


keyLength 


This specifies the size of the RSA key in bits 


UINT32 


numPrimes 


This specifies the number of prime factors used by this RSA key. 


UINT32 


exponentSize 


This SHALL be the size of the exponent. If the key is using the 
exponent from 10.4.1 then the exponentSize MUST be 0. 


BYTEQ 


exponent 


The public exponent of this key 
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4.21 TCPA_CHANGEAUTH_ VALID ATE 




Definition 



typedef struct tdTCPA_CHANGEAUTH_VALIDATE { 

TCPA_SECRET newAuthSecret; 

TCPA_NONCE nl; 
} TCPA_CHANGEAUTH_VALIDATE; 



Parameters 



Type 


Name 


Description 


TCPA_SECRET 


newAuthSecret 


This SHALL be the new authorization data for the target entity 


TCPA_NONCE 


nl 


This SHOULD be a nonce, to enable the caller to verify that the target 
TPM is on-line. 
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4.22 TCPA_MIGRATE_SCHEME 




Definition 



TCPA_MIGRATE_SCHEME values 



Name 


Value 


Description 


TCPA_MS_MIGRATE 


0x0001 


A public key that can be used with all TCPA migration commands 
other than 'ReWrap' mode. 


TCPA_MS_ REWRAP 


0x0002 


A public key that can be used for the ReWrap mode of 
TPM_CreateMigrationBlob. 


TCPA_MS_MAINT 


0x0003 


A public key that can be used for the Maintenance commands 
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4.23 TCPA_MIGRATIONKEYAUTH 




Definition' 



typedef struct tdTCPA_MIGRATIONKEYAUTH{ 

TCPAJPUBKEY migrat ionKey ; 

TCPA_MIGRATE_SCHEME migrat ionScheme ; 

TCPAJDIGEST digest; 
} TCPA_MIGRATIONKEYAUTH; 



Parameters 



Type 


Name 


Description 


TCPAJPUBKEY 


migrat ionKey 


This SHALL be the public key of the migration facility 


TCPA MIGRAT 
E_SCHEME 


migrat ionScheme 


This shall be the type of migration operation. 


TCPA.DIGEST 


digest 


This SHALL be the digesfValue of the concatenation of 
migration key, migration scheme and tpmProof 
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4.24 TCPA_AUDIT_EVENT structure 




IDL Definition 

typedef struct t dTCPA_AUD I T_ EVENT { 
TCPA_COMMAND_CODE ordinal; 
TCPA_RESULT returncode; 

} TCPA_AUDIT_EVENT; 



Parameters 



Type 


Name 


Description 


TCPA_COMMAND_CODE 


ordinal 


Ordinal of tije command 


TCPA_RESULT 


returncode 


Return code for the command 
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4.25.1 TCPA_ EVE NT_ CERT 




Definition 

typedef struct tdTCPA_EVENT_CERT { 
TCPAJDIGEST cert if icateHash; 
TCPA_DIGEST ent i tyDigest ; 
BOOL digestChecked; 
BOOL digestVerif ied; 
UINT32 issuerSize; 

[size_is (IssuerSize)] BYTE * issuer; 
) TCPA_EVENT_CERT; 



Parameters 



Type 


Name 


Description 


TCPA_DIGEST 


certificateHash 


Hash of the entire VE certificate 


TCPAJDIGEST 


entityDigest 


Actual digest value of the entity 


BOOL 


digestChecked 


TRUE if the entity logging this event checked the 
measured value against the digest value in the certificate. 

FALSE if no checking was attempted. 


BOOL 


digestVerified 


Only valid when DigestChecked is TRUE. 

TRUE if measured value matches digest value in 
certificate, FALSE otherwise. 


UINT32 


issuerSize 


Size of the Issuer parameter 


BYTE* 


issuer 


Actual issuer certificate 
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4.25.3 TCPA_PCR_SELECTION 




Definition 

typedef struct tdTCPA_PCR_SELECTION { 
UINT16 sizeOf Select ; 

[size_is (sizeOf Select ) ] BYTE pcrSelect [] ; 
} TCPA_PCR_SELECTION; 



Parameters 



Type 


Name 


Description 


UINT16 


sizeOf Select 


The size in bytes of the pcrSelect structure 


BYTE 


pcrSelect 


This SHALL be a bit map that indicates if a PCR is 
active or not 



Description \. 

When the least-significant-bil of byte [N+1] of pcrSelect is butted against the most-significant-bit of byte 
[N] of pcrSelect for (15>=N>=0), the contiguous bit array so formed SHALL represent PCR indices in 
monotonically increasing order, starting from PCR index zero represented by bit 0 of byte 0 of pcrSelect. 

The state of each bit in pcrSelect indicates whether a PCR register is selected or not. When the bit is 1 
then the corresponding PCR is selected, if 0 the PCR is not selected. 

The TPM MUST support a minimum sizeOfSelect of 2, larger sizes are allowable. The TPM MAY support 
TCPA_PCR_SELECTION structures with a larger size. 
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4.25.4 TCPA__PCR_COMPOSITE 




Definition 

typedef struct tdTCPA_PCR_COMPOSITE { 
TCPA_PCR_S ELECTION select ; 
UINT32 valueSize; 

[size_is (valueSize) ] TCPA_PCRVALUE pcrValue[]; 
} TCPA__PCR_COMPOSITE; 



Parameters 



Type 


Name 


Description 


TCPA_PCR_SELECTION 


select 


This SHALL be the indication of which PCR values are 
active 


UINT32 


valueSi ze 


This SHALL be the size of the pcrValue field 


TCPA_PCRVALUE 


pcrValue [] 


This SHALL be an array of TCPA^PCRVALUE structures. 
The values come in the order specified by the select 
parameter and are concatenated into a single blob 
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4.25.5 TCPA PCRJNFO 




Definition 

typedef struct tdTCPA_PCR_INFO{ 

TCPA_PCR_SELECTION pcrSelection; 
TCPA_COMPOSITE_HASH digestAtRelease ; 
TCPA_COMPOSITE_HASH diges tAtCreat ion ; 
) TCPA__PCR_INFO; 



Parameters 



Type 


Name 


Description 


TCPA_PCR_SELECTION 


pcrSelection 


This SHALL be the selection of PCRs to which the 
dgta or key is bound. 


TCPA_COM POS I TE_HASH 


digestAtRelease 


This SHALL be the digest of the PCR indices and 
PGR values to verify when revealing Sealed Data 
or using a key that was wrapped to PCRs. 


TCPA_COMPOSITE_HASH 


diges tAtCreat ion 


This SHALL be the composite digest value of the 
PCR values, at the time when the sealing is 
performed. 
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4.26 Storage Structures 



4.26.1 TCPA_STORED_DATA 




Definition 

typedef struct tdTCPA__STOREDJDATA { 
TCPA_VERSION ver; 
UINT32 seallnfoSize; 

[size_is (seallnfoSize) ] BYTE* seallnf o; 
UINT32 encDataSize ; 

[size_is (encDataSize) ] BYTE* encData; 
} TCPA_STORED_DATA; 



Parameters 



Type 


Name 


Description 


TCPA_VERSION 


ver 


Version number defined in section 4.5. 


UINT32. 


seallnfoSize 


Size of the seallnfo parameter 


BYTE* 


seallnf o 


This SHALL be a structure of type 
TCPA_PCR_INFO or a 0 length array if the 
data is not bound to PCRs. 


UINT32 


encDataSize 


This SHALL be the size of the encData 
parameter 


BYTE* 


encData 


This shall be an encrypted 

TCPA_ S EAL E D_ DATA structure containing 

the confidential part of the data. 



Descriptions 

This structure is created during the TPM_Seal process. The confidential data is encrypted using a non- 
migratable key. When the TPM_Unseal decrypts this structure the TPM_Unseal uses the public 
information in the structure to validate the current configuration and release the decrypted data. 
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4.26.2 TCPA_SEALED_DATA 




Definition 

typedef struct t dTCPA__S EALED_DATA { 
T C P A_ PAY LOAD_TY PE payload; 
TCPA_SECRET authData; 
TCPA_NONCE tpmProof; 
TCPA_DIGEST storedDigest ; 
UINT32 dataSize; 
[size_is (dataSize) 3 BYTE* . data; 
} TCPA_SEALEDJDATA; 



Parameters 



Type 


Name 


Description 


TCPA_PAYLOAD„TYPE 


payload 


This SHALL indicate the payload type of 
TCPA_PT_SEAL 


TCPA_SECRET 


authData 


This SHALL be the authorization data for this value 


TCPA_NONCE 


tpmProof . 


This SHALL be a copy of 
TPM_PERSISTENT_ FLAGS -> tpmProof 


TCPA_DIGEST 


storedDigest 


This SHALL be a digest of the 
TCPA_ STORED^ DATA structure, excluding the fields 
TCPA_STORED_DATA -> encDataSize and 
TCPA_STORED_DATA -> encData. 


UINT32 


dataSi ze 


This SHALL be the size of the data parameter 


BYTE?- 


data 


This SHALL be the data to be sealed 



Description 

To tie the TCPA_STORED_DATA structure to the TCPA__ SEALED, DATA structure this structure 
contains a digest of the containing TCPA_STORED_DATA structure. 

The digest calculation does not include the encDataSize and encData parameters. 
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4.26.3 TCPA_SYMMETRIC_KEY 




Definition 

typedef struct tdTCPA_SYMMETRIC_KEY { 
TC PA_AI»GOR I THM_ I D algid; 
TCPA_ENC_SCHEME encScheme; 
UINT16 size; 

[size_is (size) ) BYTE* data; 
} TCPA_SYMMETRIC_KEY; 



Parameters 



Type 


Name 


Description 


TCPA_ALGORITHM_ID 


algid 


This SHALL be the algorithm identifier of the symmetric 
key. 


TCPA_ENC_SCHEME 


encScheme 


This SHALL fully identify the manner in which the key 
will be used for encryption operations. 


UINT16 


size 


This SHALL be the size of the data parameter in bytes 


BYTE* 


data 


This SHALL be the symmetric key data 
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Definition 

typedef struct tdTCPA_BOUND__DATA { 
TCPA_VERSION ver; 
TCPA_PAYLOAD_TYPE payload; 
BYTE [ 3 payloadData; 
} TCPA_BOUND_DATA; 

Parameters 



Type 


Name 


Description 


TCPA_VERSION 


ver 


Version number defined in section 4.5. 


TC P A__ PAY LOAD_T Y P E 


paylcad 


This SHALL be the value TCPA_PT_BIND 


BYTE [ 3 


payloadData 


The bound data 



Descriptions 

This structure MUST be used for creating data when (wrapping with a key of type TPM_KEY_BIND) or 
(wrapping using the encryption algorithm TCPA_ES_RSAESOAEP_SHA1_M). If it is not, the 
TPM_UnBind command will fail. 
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4.27 TCPA_KEY complex 
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Definition 

typedef struct t dTCPA_KEY { 
TCPA_VERSION ver; 
TCPA_KEY_USAGE keyUsage; 
; TCPA_KEY_FLAGS keyFlags; 

TCPA_AUTH_DATAJJSAGE authDataUsage ; 
TCPA_KEY_PARMS algori thmParms ; 
UINT32 PCRInfoSize; 
BYTE* PCRInfo; 
TCPA_STORE_PUBKEY pubKey ; 
UINT32 encSize; 

[size_is (encData) ] BYTE* encData; 
} TCPA_KEY; 



Parameters 



Type 


Name 


Description 


TCPA_ VERS ION 


ver 


Version number defined in section 4.5. 


TCPA_KEY_USAGE 


keyUsage 


This SHALL be the TCPA key usage that 
determines the operations permitted with this key 


TCPA_KEY_FLAGS 


keyFlags 


This SHALL be the indication of migration, 
redirection etc. 


TCPA_AUTH_DATA_USAGE. 


authDataUsage 


This SHALL Indicate the conditions where it is 
required that authorization be presented. 


TCPA_KEY_PARMS 


algorithmParms 


This SHALL be the information regarding the 
algorithm for this key 


UINT3 2 


PCRInfoSize 


This SHALL be the length of the pcrlnfo parameter. 
If the key is not bound to a PCR this value SHOULD 
be 0. 


BYTE* 


PCRInfo 


This SHALL be a structure of type 
TCPA_PCRJNFO, or an empty array if the key is 
not bound to PCRs. 


TC P A_ S TOR E_ PUB KEY 


pubKey 


This SHALL be the public portion of the key 


UINT32 


encSize 


This SHALL be the size of the encData parameter. 


BYTE* 


encData ! 


This SHALL be an encrypted 
TCPA_STORE_ASYMKEY structure 
TCPA_MIGRATE_ASYMKEY structure 
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4.27.2 TCPA_STORE_PUBKEY 




typedef struct tdTCPA_STORE_PUBKEY { 

UINT32 keyLength; 

BYTE [] key; 
} TCPA_STORE_PUBKEY; 

Parameters 



Type 


Name 


Description 


UINT32 


keyLength 


This SHALL be the length of the key field. 


BYTE [] 


key 


This SHALL be a structure interpreted according to the algorithm Id in 
the corresponding TCPA_KEY_PARMS structure. 



Descriptions 

The contents of the 'key' field will vary depending upon the corresponding key algorithm: 



Algorithm Id 


'Key' Contents 


TCPA_ALG_RSA 


The RSA public modulus 
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4.27.3 TCPA PUBKEY 




Definition 

typedef struct tdTCPA_PUBKEY { 

TCPA_KEY_PARMS algorithmParms; 
TCPA__STORE_PUBKEY pubKey; 
} TCPA_PUBKEY; 

Parameters 



Type 


Name 


Description 


TCPAJtEY_PARMS 


algorithmParms 


This SHALL be the information regarding this key 


TCPA__STORE_PUBKEY 


pubKey 


This SHALL be the public key information 



Descriptions 

The pubKey member of this structure shall contain the public key for a specific algorithm. 
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4.27.4 TCPA STORE ASYMKEY 



Definition 

typedef struct tdTCPA_STORE_ASYMKEY { 

TCPA_PAYLOAD_TYPE payload; 

TCPA_SECRET usageAuth; 

TCPA_SECRET migrat ionAuth ; 

TCPA_DIGEST pubDat aDi gest ; 

TCPA___STORE_PRIVKEY privKey; 
} TCPA_STORE_ASYMKEY; 

Parameters 



// pos 
// 0 



// 
// 
// 
// 



1 

21 

61 



len 

1 

20 
2 0 
20 
132-151 



total 
1 
21 
41 
61 

193-214 



Type 


Name 


Description 


TCPA_PAYLOAD_TYPE 


payload 


This SHALL set to TCPA_PT_ASYM to indicate an 
asymmetric key. 


TCPA_SECRET 


usageAuth 


This SHALL be the authorization data necessary to authorize 
the use of this value 


TCPA_SECRET 


migrat ionAuth 


This SHALL be the migration authorization data for a 
migratable key, or the TPM secret value tpmProof for a non- 
migratable key created by the TPM. 

If the TPM sets this parameter to the value tpmProof, then the 
TCPA_KEY.keyFIags. migratable of the corresponding 
TCPA_KEY structure MUST be set to 0. 

If this parameter is set to the migration authorization data for 
the key in parameter PrivKey, then the 
TCPA_KEY.keyFlags.migratabIe of the corresponding 
TCPA_KEY structure SHOULD be set to 1. 


TCPA_DIGEST 


pubDataDigest 


This SHALL be the digest of the corresponding TCPA_KEY 
structure, excluding the fields TCPA_KEY.encSize and 
TCPA_KEY.encData. 

When TCPA_KEY -> pcrlnfoSize is 0 then the digest 
calculation has no input from the pcrlnfo field. The pcrlnfoSize 
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field MUST always be part of the digest calcuation. 


TCPA_STORE_PRIVKEY 


privKey 


This SHALL be the private key data. The privKey can be a 
variable length which allows for differences in the key format. 
The maximum size of the area would be 151 bytes. 
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4.27.5 TCPA_STORE_PRIVKEY 




typedef, struct tdTCPA_STORE_PRIVKEY { 
UINT32 keyLength; 
[size_is (keyLength) ] BYTE* key; 
} TCPA_STORE_PRIVKEY; 



Parameters 



Type 


Name 


Description 


UINT32 


keyLength 


This SHALL be the length of the key field. 


BYTE* 


key 


This SHALL be a structure interpreted according to 
the algorithm Id in the corresponding TCPA_KEY 
structure. 



Descriptions 

All migratable keys MUST be RSA keys with two (2) prime factors. 

For non-migratable keys, the size, format and contents of privKey.key MAY be vendor specific and MAY 
not be the same as that used for migratable keys. The level of cryptographic protection MUST be at least 
as strong as a migratable key. 



Algorithm Id 


key Contents 


TCPA_ALG_RSA 


When the numPrimes defined in the corresponding TCPA_RSA_KEY__PARMS 
field is 2, this shall be one of the jDrime factors of the key. Upon loading of the 
key the TPM calculates the other prime factor by dividing the modulus, stated 
in section 10.4.1: TCPA_RSA_PUBKEY, by this value. 

The TPM MAY support RSA keys with more than two prime factors. Definition 
of the storage structure for these keys is left to the TPM Manufacturer. 
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4.27.6 TCPA_MIGRATE_ AS YMKEY 




Definition 

typedef struct t dTC PA__M I GRATE__AS YMKEY { 

TCPA_PAYLOAD_TYPE payload; 

TCPA_SECRET usageAuth; 

TCPAJDIGEST pubDataDigest; 

UINT32 partPrivKeyLen; 

TCPA_STORE_PRIVKEY partPrivKey; 
} TCPA_MIGRATE_ASYMKEY; 

Parameters 



// 


pos 


len 


total 


// 


0 


1 


1 


// 


1 


20 


21 


// 


21 


20 


41 


// 


41 


4 


45 


// 


45 


112-127 


157-172 



Type 


Name 


Description 


TC PA__PAY LOAD_T Y PE 


payload 


This SHALL set to TCPA_PT_MIGRATE to indicate 
an migrating asymmetric key or TCPA_PT_MAINT to 
indicate a maintenance key. 


TCPA_SECRET 


usageAuth 


This SHALL be a copy of the usageAuth from the 
TCPA_STORE_ASYMKEY structure. 


TCPA_DIGEST 


pubDataDigest 


This SHALL be a copy of the pubDataDigest from the 
TCPA_STORE_ASYMKEY structure. 


UINT32 


partPrivKeyLen 


This SHALL be the size of the partPrivKey field 


TCPA__STORE__PR I VKEY 


partPrivKey 


This SHALL be the k2 area as defined in section 
7.2.11 
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4.28 TCPA_CERTIFY_INFO Structure 




IDL Definition 



typedef struct tdTCPA_CERTIFY_INFO{ 
TCPA_VERSION version; 
TCPA_KEY_USAGE keyUsage; 
TCPA_KEY_FLAGS keyFlags; 
TC PA_ AUTH__DATA__US AG E authDat aUsage ; 
TCPA_KEY_PARMS algori thmParms ; 
TCPA_DIGEST pubkeyDigest ; 
TCPA_NONCE data; 
BOOL parentPCRStatus; 
UINT32 PCRInfoSize; 

[size_is (pcrlnf oSize) ] BYTE* PCRInf o ; 



Parameters 



Type 


Name 


Description 


TCPA_VERSION 


version 


TCPA version structure; section 4.5 . 


TCPA_KEY_USAGE 


keyUsage 


This SHALL be the same value that would be set in a 
TCPA_KEY representation of the key to be certified 


TCPA_KEY_FLAGS 


keyFlags 


This SHALL be set to the same value as the 
corresponding parameter in the TCPA_KEY structure 
that describes the public key that is being certified 


TCPA_AUTH_ DATA 
_USAGE 


authDat aUs age 


This SHALL be the same value that would be set in a 
TCPA_KEY representation of the key to be certified 


TCPA_KEY_PARMS 


algori thmParms 


This SHALL be the same value that would be set in a 
TCPA_KEY representation of the key to be certified 


TCPA.DIGEST 


pubKeyDigest 


This SHALL be a digest of the value TCPA_KEY -> 
pubKey -> key in a TCPA, KEY representation of the 
key to be certified 


TCPA.NONCE 


data 


This SHALL be externally provided data. ! 


BOOL 


parentPCRStatus 


This SHALL indicate if any parent key was wrapped to a 
PCR 


UINT32 


PCRInfoSize 


This SHALL be the size of the pcrlnfo parameter. A 
value of zero indicates that the key is not wrapped to a 
PCR 


BYTE* 


PCRInfo 


This SHALL be the TCPA_PCR_fNFO structure. 
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4.29 TCPA_QUOTEJNFO Structure 




IDL Definition 

typedef struct tdTCPA_QUOTE_INFO{ 
TCPA_VERSION version; 
BYTE fixed [4] ; 

TCPA_COMPOSITE_HASH digestValue; 
TCPA~NONCE externalData, 
} TCPA_QUOTE_INFO; 



Parameters 



Type 


Name 


Description 


TCPA_VERSION 


version 


TCPA version structure; section 4.5 


BYTE 


fixed 


This SHALL always be the string 'QUOT' 


TCPA_COMPOSITE_HASH 


digestValue 


This SHALL be the result of the composite hash 
algorithm using the current values of the requested 
PCR indices. 


TCPA_NONCE 


externalData 


160 bits of externally supplied data 

1 
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4.30 Identity Structures 
4.30.1 TCPA_IDENTITY_CONTENTS 




Definition 



typedef struct tdTCPA_IDENTITY_CONTENTS { 
TCPA_VERSION ver 
UINT32 ordinal, 
TCPA_CHOSENID_HASH labelPrivCADigest , 

TCPA_PUBKEY ident i tyPubKey ; 

} TCPA_IDENTITY_CONTENTS; 



Parameters 



Type 


Name 


Description 


TCPA_VERSION 

"v. 


ver 


This SHALL be the version specified in 
section 4.5. 


UINT32 


ordinal 


This SHALL be the ordinal of the 
TPM_Makeldentity command. 


TCPA_CHOSENID_HASH 


labelPrivCADigest 


This SHALL be the result of hashing the 
chosen identityLabel and privacyCA for the 
new TPM identity (see 10.4.6 for details) 


TCPA_PUBKEY 


ident i tyPubKey 


This SHALL be the public key structure of the 
identity key 
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4.30.2 TCPA_IDENTITY_REQ 



Parameters 



Type 


Name 


Description 


UINT32 


asymSize 


This SHALL be the size of the asymmetric 
encrypted area created by 
TSS_CollateldentityRequest 


UINT32 


symSize 


This SHALL be the size of the symmetric 
encrypted area created by 
TSS_CollateldentityRequest 


TCPA_KEY_PARMS 


a symAl g o r i t hm 


This SHALL be the parameters for the asymmetric 
algorithm used to create the asymBlob 


TCPA_KEY_PARMS 


symAlgorithm 


This SHALL be the parameters for the symmetric 
algorithm used to create the symBlob 


BYTE* 


asymBlob 


This SHALL be the asymmetric encrypted area 
from TSS__Co!lateidentityRequest 


BYTE* 


symBlob 


This SHALL be the symmetric encrypted area 
from TSS_CollateldentityRequest 
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4.30.3 TCPAJDENTITYlPROOF 



Type 


Name 


Description 


TCPA_VERSION 


ver 


This SHALL be the version specified in section 4.5. 


1 t IktTOO 

UINT32 


labelSize 


This SHALL be the size of the label area 


UINT32 


identityBindingSize 


This SHALL be the size of the identitybinding area 


U1NT32 


pnHnr^pTTipnt 1 Qi o 

v-j juux ocuicji i— OJ. cr 


I l_ , _ O II All 1 ll- - * / ii . 

This SHALL be the size of the endorsement 
credential 


UINT32 


platf ormSize 


This SHALL be the size of the platform credential 


UINT32 


conf ormanceSize 


This SHALL be the size of the conformance 
credential 


TCPA_PUBKEY 


identityKey 


This SHALL be the public key of the new identity 


BYTE* 


labelArea 


This SHALL be the text label for the new identity 


BYTE* 


identityBinding 


This SHALL be the signature value of 
TCPA_IDENTITY_ CONTENTS structure from the 
TPM_Makeldentity command 


BYTE* . 


endorsement Credential 


This SHALL be the TPM endorsement credenlial 


BYTE* 


platf ormCredential 


This SHALL be the TPM platform credential 


BYTE* 


conf ormanceCredent i al 


This SHALL be the TPM conformance credential 
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4.30.4 TC P A_ AS YlVLCA_ CONTENTS 




Definition 

typedef struct tdTCPA_ASYM_CA_CONTENTS { 
TCPA__S YMMETRI C_KEY ses s ionKey ; 
TCPA_DIGEST idDigest; 

} TCPA_ASYM_CA_CONTENTS ; 



Parameters 



Type 


Name 


Description 


TCPA_SYMMETRIC_KEY 


sessionKey 


This SHALL be the session key used by the CA to encrypt 
the TCPAJDENTITY_CREDENTIAL 


TCPA_DIGEST 


idDigest 


This SHALL be the digest of the TPM identity public key 
that is being certified by the CA 
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4.30.5 TCPA_SYM_CA_ ATTESTATION 



Type 


Name 


Description 


UINT32 


credSi ze 


This SHALL be the size of the credential parameter 


TCPA_KEY_PARMS 


algorithm 


This SHALL be the indicator and parameters for the 
symmetric algorithm 


BYTE* 


credential 


This is the result of encrypting 

TPM_IDENTITY_CREDENTIAL using the session_key and 
the algorithm indicated "algorithm" 
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4.31 TCPA CAPABILITY_AREA 




m 



TCPA_CAPABILITY_AREA Values 



Value 


Capability Name 


Comments 


0x00000001 


TCPA_CAP_ORD 


Queries whether a command is supported. 


0x00000002 


TCPA_CAP_ALG 


Queries whether an algorithm is supported. 


0x00000003 


TCPA__CAP_PID 


Queries whether a protocol is supported. 


0x00000004 


TCPA_CAP_FLAG 


Queries whether a flag is on or off. 


0x00000005 


TCPA_CAP_PROPERTY 


Determines a physical property of the TPM. 


0x00000006 


TCPA_CAP_VERSION 


Queries the current TPM version. 


0x00000007 


TCPA_CAP_KEY_ HANDLE 


Obtains information about all key handles 


0x00000008 


TPM CAP CHECK LOADED 


Obtains information about the ability to load a key 


0x00000009 






OxOOOOOOOA 






OxOOOOOOOB 
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4.32.1 Evidence of Subsystem Endorsement 




Description 

Struct TPM_ENDORSEMENT_CREDENTIAL = { 

BYTE label = tt TCPA Trusted Platform Module Endorsement" 

TCPA_PUBKEY publ ic_endorsement_key 

REFERENCE tpm_model 

REFERENCE tpm_distributed_validation 

REFERENCE tpme_ref erence 

f CPA_VERS ION TCPA_VERS I ON 

SIGNATURE signature_value) 

This is an abstract definition, section 9.5.1 contains the concrete 
representation. 



Parameters 



Type 



Name 



Description 
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BYTE 


label 


This SHALL be the ASCII characters 
"TCPA Trusted Platform Module 
Endorsement" 


TCPA_PUBKEY 


publ i c_endorsement_key 


This SHALL be the PUBEK returned by a 

TPM_CreateEndorsementKeyPair 

command. 


REFERENCE 


tptn model 


Thi^ SHAI 1 hp 3 rpfprpnr^p in thp tvno rvf 
i ilia oi i/M— I— uc a icici ci ilc IkJ IMC lyjJti KJi 

implementation of protected capabilities 
and shielded locations that created the 
PUBEK, plus a reference to the identity of 
the manufacturer of that implementation. 


REFERENCE 


tpm_distributed__validation 


This SHALL be a reference to fields that 
inuicdie ine security cjuaiiiies oi me 
implementation of protected capabilities 
and shielded locations that created the 
PUBEK. 


REFERENCE 


tpme_ref erence 


This SHALL be an unambiguous 
indication of the identity of the (TPM) 
entity that attests that the implementation 
of protected capabilities and shielded 
locations conforms to the TCPA 
specification. 


TCPA_VERSION 


TCPAJVERSION 


This SHALL be the version specified in 
section 4.5. 


SIGNATURE 

% 


signature_value 


This SHALL be the signature over all 
previous fields in 

TPM_ENDORSEMENT_CREDENTIAL, 
using the private key of the tpme- 
reference. 



When an entity presents evidence to a Privacy CA that an implementation of protected capabilities and 
shielded locations conforms to the TCPA specification, that evidence SHALL include the data in the data 
structure TPM_ENDORSEMENT_CREDENTIAL. 

A (TPME) entity SHALL NOT create the data structure TPM_ENDORSEMENT_CREDENTIAL unless the 
entity is satisfied that the PUBEK referenced in TPM_ENDORSEMENT_CREDENTIAL was returned in 
response to a TPM_CreateEndorsementKeyPair command by an implementation of protected capabilities 
and shielded locations that meets the TCPA specification. 

If the data structure TPM_ENDORSEMENT_CREDENTIAL is stored on a platform after an Owner has 
taken ownership of that platform, it SHALL exist only in storage to which access is controlled and is 
available to authorized entities. 
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4.32.2 Evidence of Platform Endorsement 



■BDQBSI 



SSL 



3€S 





llllllf 


















iiiiill 


111)1111 


^^^^^^^ 





Description 

When an entity presents evidence to a Privacy CA that a platform conforms to the TCPA specification, 
that evidence SHALL include the data in the data structure platform^credentiai. 
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An entity (PE) SHALL NOT create the data structure platform_credenfial unless the entity is satisfied that 
the platform conforms to the conformance credential referenced inside platform^credential and contains 
the TPM referenced inside platform_credential. 

Definition 

struct PLATFORM_CREDENTIAL ={ 



ASeiI_STRING 

REFERENCE 

REFERENCE 

REFERENCE 

REFERENCE 

REFERENCE 

TCPA_VERSION 

SIGNATURE 



"TCPA Trusted Platform Endorsement" 
tpm- credential -reference 
conf ormance- credent ial -reference 
plat f orm_TBB 

platf orm__distributed_validation 
pe-ref erence 
TCPA__VERSION 
signature_value } 



This is an abstract definition, 
representation . 



section 9.5.2 contains the concrete 



Parameters 



Type 


Name 


Description 


ASCILSTRING 


"TCPA Trusted Platform 
Endorsement " 


This SHALL be the ASCII string "TCPA 
Trusted Platform Endorsement" 


REFERENCE 


tpm- credent ial - reference 


This SHALL be an unambiguous indication 
of the endorsement credential of the TPM 
incorporated into the platform. 


REFERENCE 


conformance -credential - 
reference 


This SHALL be an unambiguous indication 
of the conformance UIDs that attest that the 
design of the platform conforms to the 
TCPA specification. 


REFERENCE 


platf orm_TBB 


This SHALL be a reference to the type of 
the platform, including the TCPA 
foundations in the platform, plus a reference 
to the identity of the manufacturer of that 
platform. 


REFERENCE 


platf orm_distributed_va lid 
ation 


This SHALL be fields that indicate the 
general security qualities of the platform. 


REFERENCE 


pe-ref erence 


This SHALL be an unambiguous indication 
of the identity of the (platform) entity that 
attests to the design and construction of the 
platform. 


TCPA_VERSION 


TCPA_VERSION 


This SHALL be the version specified in 
section 4.5. 


SIGNATURE 


signature_value 


This SHALL be the signature over all 
previous fields in platform_credential, using 
the private key of the pe-reference. 



If the data structure platform_credentia! is stored on a platform after an Owner has taken ownership of 
that platform, it SHALL exist only in storage to which access is controlled and is available to authorized 
entities. 
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4.32.3 Evidence of Platform Conformance 




Description 

When an entity presents evidence to a Privacy CA that a platform conforms to the TCPA specification, 
that evidence SHALL include the data in the data structure conformance_credentiaL 

A (conformance) entity SHALL NOT create the data structure conformance_credential unless the entity is 
satisfied that the design of both the Subsystem and its incorporation into the platform are accurately and 
unambiguously represented by the information in conformance_credential. 

typedef struct CONFORMANCE_CREDENTIAL ={ 



ASCII_STRING 

CONFORM_UID 

CONFORM_UID 

CONFORM_UID 

CONFORMJJID 

REFERENCE 

TCPA_VERSION 

SIGNATURE 



* TC PA Conformance Credential" 

tpm_pp 

tprn_st 

f oundation_pp 
f oundation_st 
ce_ref erence 
TCPAJVERSION 
signature 



This is an abstract definition; section 9.5.3 contains the concrete representation. 



Parameters 



Type 


Name 


Description 


ASCILSTRING 


"TCPA Conformance 
Credential" 


This SHALL be the ASCII string "TCPA 
Conformance Credential" 


CONFORM_UID 


tpm_jpp 


This SHALL be the UID that unambiguously 
identifies the protection profile of the TPM 


CONFORM.UID 


tpm_st 


This SHALL be the UID that unambiguously 
identifies the security target of the TPM 


CONFORM_UID . 


f oundation_jpp 


This SHALL be the UID that unambiguously 
identifies the protection profile of the TCPA 
foundations in the platform. 


CONFORM_UID 


f oundation_st 


This SHALL be the UID that unambiguously 
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identifies the security target of the TCPA 
foundations in the platform. 


REFERENCE 


ce_ref erence 


This SHALL be an unambiguous indication of 
the identity of the (Conformance) entity that 
attests to the overall design of the platform. 


TCPA_VERSION 


TCPAJVERSION ■ 


This SHALL be the version 'specified in section 
4.5. 


SIGNATURE 


signature_value 


This SHALL be the signature over all previous 
fields in CONFORMANCE_CREDENTIAL, 
using the private key of the ce_reference. 
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4. 32. 4TCPA Validation Data 




All components that influence the software environment in a platform SHOULD have corresponding 
validation data. 

The representation of a component SHALL reflect the way that the component influences the software 
environment in a platform. All representations SHALL include a description of the manufacturer, the 
common name of the component, the version of the component, and a field that describes the security 
qualities of the component. 

The representation of a component SHALL NOT in any way provide information that exposes the identity 
of a specific component. 

The validation data of a component SHALL be validation_data 

IDL Description 

typedef struct VALIDATI ON_DATA ={ ^ 

ASCII_STRING "TCPA Validation Data" 

ASCII_STRING component__manuf acturer , 

ASCIIJSTRING component_name , 

ASCII_STRING component^version, 

DIGEST instruction_digest , 

REFERENCE coTnponent_distributed_validation, 

REFERENCE ve_ref erence , 

TCPA_VERSION TCPAJVERSION, 

SIGNATURE validation_data_signature_value} 

This is an abstract definition; section 9.5.4 contains the concrete representation. 
Parameters 



Type 


Name 


Description 


ASCILSTRING 


W TCPA Validation Data" 


This SHALL be the ASCII string "TCPA 
Validation Data." 


ASCILSTRING 


component_manuf acturer 


This SHALL be an ASCII string stating the 
name of the manufacturer of the 
component. 


ASCILSTRING 


component_name 


This SHALL be an ASCII string stating the 
common name of the component. 


ASCILSTRING 


component_version 


This SHALL be an ASCII string stating the 
version of the component. 


DIGEST 


instruction_digest 


This SHALL be a digest of any 
instructions in the component that are 
intended to execute on the main 
computing engine of the platform. 


REFERENCE 


component_distributed_ 
validation 


This SHALL be a convenient immediate 
reference 1o the security properties of the 
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reference to the security properties of the 
component. 


REFERENCE 


ve_ref erence 


This SHAI 1 hp An iinflmhiniifM ic 
indication of the identity of the (validation) 
entity that attests to the validation data. 


TCPA_VERSION 


TCPAJVERSION 


This SHALL be the version specified in 
section 4.5. 


SIGNATURE 


validation_data_signat 
ure_value 


This SHALL be the result of signing all 
fields (except this field) in 
V A L 1 DAT 1 0 N_ D ATA using the signature 
(private) key of VE_reference. 



4.32.5 Evidence of Trusted Platform Module Identity 




Description 

When an entity presents evidence that an identity belongs to a Subsystem, that evidence SHALL include 
the data in the data structure TPMJDENTITY_CREDENTIAL. 

struct TPM_IDENTITY_CREDENTIAL =( 



ASCII_STRING 


"TCPA Trusted Platform Identity" 


UNICODE 


identityLabel 


TCPA_PUBKEY 


identityPubKey 


REFERENCE 


tpm_model 


REFERENCE 


tpm_distributed_validation 


CONF0RM_UID 


tpm_pp 


CONFORMJJID 


tpm_st 


REFERENCE 


platform model 


REFERENCE 


platf orm_distributed_validation 


CONFORM_UID 


f oun d a t i on_pp 


CONFORM_UID 


f oundation_st 


REFERENCE 


p-ca_ref erence 


TCPA_VERSION 


TCPA_VERSION 


SIGNATURE- 


signature_value} 



This is an abstract definition; section 9.5.5 contains the concrete representation. 
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Parameters 



Type 


Name 


Description 


ASCILSTRING 


"TCPA Trusted Platform 
Module Identity" 


This SHALL be the ASCII string TCPA 
Trusted Platform identity." 


UNICODE 


icIentityLabel 


This SHALL be a textual string associated 
with the TPM identity. 


TCPA_PUBKEY 


identityPubKey 


This SHALL be a public key associated with 
the TPM identity. 


REFERENCE 


tpm_ model 


This SHALL be a reference to the type of TPM 
in the platform, plus a reference to the identity 
of the manufacturer of TPM. 


REFERENCE 


tpm_distributed__validation 


This SHALL be fields that indicate the security 
qualities of the TPM in the platform. 


C0NFORM_UID 


tpm_jpp 


This SHALL be the UID that unambiguously 
identifies the protection profile of the TPM 


CONFORM_UID 


tpm_s t 


This SHALL be the UID that unambiguously 
identifies the security target of the TPM 


REFERENCE 


platf ornwnodel 


This SHALL be a refe^nce to the type of the 
platform, including the TCPA foundations in 
the platform, plus a reference to the identity of 
the manufacturer of that platform. 


REFERENCE. 


pi at f orm_di st r ibut ed_val id 
at ion 


This SHALL be fields that indicate the security 
qualities of the platform. 


CONFORM_UID 


f oundation_jpp 


This SHALL be the UID that unambiguously 
identifies the protection profile of the TCPA 
foundations in the platform. 


CONFORM_UID 


f oundation_st 


This SHALL be the UID that unambiguously 
identifies the security target of the TCPA 
foundations in the platform. 


REFERENCE 


p-ca_ref erence 


This SHALL be an unambiguous indication of 
the identity of the (Privacy CA) entity that 
attests to the TPM identity. 


TCPA_VERSION 


TCPAJVERSION 


This SHALL be the version specified in 
section 4.5. 


SIGNATURE 


signature_value 


This SHALL be the signature over all previous 
fields in TPM_IDENTITY_CREDENTIAL, 
using the private Hey of the p-ca__reference. 



If the data structure TPM_IDENTITY_CREDENTIAL is stored on a platform after an Owner has taken 
ownership of that platform, it SHALL exist only in storage to which access is controlled and is available to 
authorized entities. 
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4.33 Command Ordinals 



Ordinals are 32 bit values. The upper byte contains values that serve as flag indicators, the next byte 
contains values indicating what committee designated the ordinal, and the final two bytes contain the 
Command Ordinal Index. 

3 2 1 

1098765432109876543210987654321 0 
+ - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + -•¥- + - + - + - + - + - + - + - + - + - + - + 
| P | C | V | Reserved) Purview | Command Ordinal Index | 

Where: 

• P is Protected/Unprotected command. When 0 the command is a Protected command-^hen 1 
the command is an Unprotected command. 

• C is Non-Connection/Connection related command. When 0 this command passes through to 
either the protected (TPM) or unprotected (TSS) components. 

• V is TCPAA/endor command. When 0 the command is TCPA defined, when 1 the command is 
vendor defined. 

• All reserved area bits are set to 0. 

The following masks are created to allow for the quick definition of the commands 



Value 


Event Name 


Comments 


0x00000000 


TCPA_PROTECTED_COMMAND 


TPM protecled command, specified in main 
specification 


0x80000000 


TCPA_UNPROTECTED_COMMAND 


TSS command, specified in the TSS 
specification 


0x40000000 


TCPA_CONNECTION_ COMMAND 


TSC command, protected connection 
commands are specified in the main 
specification. Unprotected connection 
commands are specified in the TSS. 


0x20000000 


TCPA_VENDOR_COMMAND 


Command that is vendor specific for a given 
TPM or TSS. 
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The following Purviews have been defined: 



Value 


Event Name 


Comments 


0x00 


TCPA_MAIN 


Command is from the main specification 


0x01 


TCPA_PC 


Command is specific to the PC . 


0x02 


TCPA_PDA 


Command is specific to a PDA 


0x03 


TCPA_CELL_PHONE 


Command is specific to a cell phone 



Combinations for the main specification would be 



Value 


Event Name 


TCPA_PROTECTED_COMMAND | TCPA_MAIN 


TCPA_PROTECTED_ORDINAL 


TCPA_UNPROTECTED_COMMAND | TCPA_MAIN 


TCPA_UNPROTECTED_ORDINAL 


TCPA_CONNECTION_COMMAND | TCPA_MAIN 


TCPA_CONNECTION_ORDINAL 



If a command is tagged from the audit column the default state is that use of that command SHALL be 
audited. Otherwise, the default state is that use of that command SHALL NOT be audited. 





TCPA_PROTECTED__ORDINAL 
+ 


^Audit 


TPM ORD OIAP 


10 




TPM ORD OSAP 


11 




TPM ORD ChangeAuth 


12 




TPM ORD TakeOwnership 


13 


X 


TPMORD Chang eAuthAsymS tart 


14 




TPM ORD ChangeAuthAsymFinish 


15 




TPM ORD ChangeAuthOwner 


16 


X 








TPM ORD Extend 


20 




TPM ORD PcrRead 


21 




TPM ORD Quote 


22 




TPM ORD Seal 


23 


X 


TPM ORD Unseal 


24 




TPM ORD DirWriteAuth 


25 


X 


TPM ORD DirRead 


26 










TPM_ORD UnBind 


30 




TPM ORD Cr e a t e Wr apKey 


31 


X 


TPMORD Load Key "I 


32 




TPM ORD GetPubKey 


33 




TPM ORD EvictKey 


34 










TPM ORD CreateMigrationBlob 


40 


X 


TPMORD ReWrapKey 


41 




TPMORD ConvertMigrationBlob 


42 


X 


TPMORDAu t hor izeMigrati onKey 


43 


X 


TPM ORD CreateMaintenanceArchive 


44 


X 


TPM ORD LoadMaintenanceArchive 


45 


X 


TPM ORD KillMaintenanceFeature 


46 


X 


TPM ORD LoadManuMaintPub 


47 


X 
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TPM ORD ReadManuMaintPub 


48 


X 








TPM ORD CertifyKey 


50 










TPM ORD Sign 


60 










TPM ORD GetRandom 


70 




TPM ORD StirRandom 


71 










TPM ORD Self Test Full 


80 




TPM ORD Self TestStartup 


81 




TPM ORD Certif ySelf Test 


82 




TPM ORD Cont inueSel f Tes t 


83 




TPM ORD GetTestResult 


84 










TPM ORD Reset 


90 


X 


TPM ORD OwnerClear 


91 


X 


TPM ORD DisableOwnerClear 


92 


X 


TPM ORD Forrprlear 

j. rj i \jr\.i*/ x w jl u ^ v- -i. w c* j_ 


-7 J 


X 


TPM ORD D*i ^ahlpPorceClpa'T 

J, IT I 1 vAU U 1 Da U JL C A w JL ^w\>XCul 




X 








TPM ORD Rpt*PanabilitvSianed 


10 0 




TPM ORD GetCar>abil itv 


101 




TPM ORH fipt"ra'n?ihilitvOwnpr 

± JT II V— 'X\.Jw» VJC LUG J-J CI i—> JL JL JL «- jr W WJIC1 


102 










TPM ORD OwnerSetDisable 


110 


X 


TPM ORD Phys i cal Enable 


111 


x 


TPM ORD PhysicalDisable 


112 


x 


TPM ORD Set Owner Install 


113 


x 


TPM ORD PhvsicalSetDeactivat ed 


114 


x 


TPM ORD Se tTempDeac tivat ed 


115 


x 








TPM ORD Creat eEndorsementKeyPair 


120 


x 


TPM ORD Makeldentity 


121 


x 


TPM ORD Acti vateldentity 


122 


X 


TPM ORD ReadPubek 


124 


x 


TPM ORD Owner ReadPubek 


125 


X 


TPM ORD DisablePubekRead 


12 6 


x 








TPM ORD GetAuditEvent 


130 


X 


TPM ORD GetAuditEventSigned 


131 


X 








TPM ORD GetOrdinalAuditStatus 


14 0 




TPM ORD SetOrdinalAuditStatus 


141 


X 








TPM ORD Terminate Handle 


150 




TPM ORD Init 


151 


X 


TPM ORD SaveState 


152 


X 


TPM ORD_Startup 


153 


X 


TPM ORD SetRedirection 


154 


X 








TPM ORD SHAlStart 


160 




TPM ORD SHAlUpdate 


161 




TPM ORD SHA1 Complete 


162 
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TPM ORD SHAlCompleteExtend 


163 










TPM ORD FieldUpgrade 


170 










TPM ORD SaveKeyContext 


180 




TPM ORD LoadKey Con text 


181 




TPM ORD SaveAuthContext 


182 




TPM ORD LoadAuthContext 


183 




The connection commands manage the TPM's connection to the TBB. 




TCPA CONNECTION ORDINAL + 


TSC ORD Physical Presence 


10 



Version 1.1a 1 December 2001 



TCPA Main Specification 



Page 96 



5. Authorization and Ownership 
5.1 Introduction 



!»1 




All entity authorizations requiring authorization MUST use the authorization data protocols. 

The TPM MUST support the OI-AP and the OS-AP which enable proof of knowledge of authorization data 
while maintaining the secrecy of that authorization data. 

The TPM MUST support the ADIP that inserts the authorization during entity creation. 
The TPM MUST support the ADCP and AACP which allow for the changing of authorization data. 
The TPM MUST support TPM_Terminate_Handle which forces the termination of a session. 
The TPM MAY support additional protocols to authenticate, insert and change authorization data. 
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The TPM MUST support the ability to calculate a HMAC in order to verify authorization data independent 
of the source or transmission mechanism. The TPM MUST calculate the HMAC digest according to 
section 8.6. The TPM MUST NOT perform the HMAC calculation for a returning message when the 
authorization for the command fails or the command fails for any other reason. 

If a command has more than one authorization value, each authorization session MUST use the same 
SHA-1 parameter digest (<paramDigest> from Sect. 4.4.2) plus its respective authorization setup 
parameters (nonces, authHandles, etc) in the HMAC calculation. For example, the capability 
9.3.1TPM_Makeldentity requires authorization from both the TPM Owner and from ihe SRK owner. So 
the authentication information "TpmOwnerAuth" and "SrkAuth" are each calculated over all parameters 
tagged with an 'S' subscript in the definition of TPM_Makeldentity. 

All commands that use keys normally include at least one authorization session in the input parameters. If 
AuthDataUsage is set to TPM_AUTH_NEVER for that key, then the command does not need to be 
authorized. To implement this, the 5 authorization parameters at the end of the input parameter list should 
be removed and the tag value (first parameter) changed from TPM_TAG_RQU_AUTH1_COMMAND to 
TPM__TAG_RQU_COMMAND. 

When an incoming command includes an authorization session but the authorized key has 
AuthDataUsage set to NEVER the TPM MUST perform the following: 

• If the value of the command tag is TPM_TAG_RQU_AUTH1_COMMAND the TPM will compute 
the authorization based on the value store in the authorization location within the key, IGNORING ' 
the state of the AuthDataUsage flag. 

• Users may choose to use a well-known value for the authorization data when setting 
AuthDataUsage to NEVER. 

For commands that normally have 2 authorization sessions, if the tag specifies only one in the parameter 
array, then the first session listed is ignored (authDataUsage must be NEVER for this key) and the 
incoming session data is used for the second auth session in the list. 
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5.1.1 Tag Usage 



This table summarizes what can be the tag with a given TPM command. 









Tag 








/JAND 


O 
< 


z 
< 






O 
O 

I 

CN 


O 

o 

\ 


Q 

o 






I 
f - 


X 
h- 


o 


Section 


Name 


< 


< 


UL 


5.6.1 


TPM_ChangeAuth 


x 






5.6.2 


TPM_ChangeAuthOwner 




X 




5.7.1 


TPM_ChangeAuthAsymStart 




X 


X 


5.7.2 


TPM_ChangeAuthAsymFinish 




X 


X 


5.11.1 


TPM_TakeOwnership 




X 




6.3.3 


TPM_Guote 




X 


X 


6.3.4 


TPM_DirWriteAulh 




X 




7.2.1 


TPIVLSeal 




X 




7.2.2 


TPIVLUnseal 


x 


X 




7.2.4 


TPM.UnBind 




X 


X 


7.2.5 


TPM_CreateWrapKey 




X 




7.2.8 


TPM_LoadKey 




X 


X 


7.2.10 


TPM_GetPubKey 




X 


X 


7.2.11 


TPM_CreateMigrationB!ob 


x 


X 


X 


0 


TPM_Conver1MigrationBlob 




X 


X 


7.2.13 


TPM^AuthorizeMigrationKey 




X 




7.3.1 


TPM_CreateMaintenanceArchive 




X 




7.3.2 


TPM_LoadMaintenanceArchive 




X 




7.3.3 


TPM_KillMaintenanceFeature 




X 




8.3.1 


TPM_CertifyKey 


X 


X 


X 


8.7.1 


TPM_Sign 




X 


X 


8.9.2 


TPM_CertifySeIfTest 




X 


X 


0 


TPM_OwnerClear 




X 




8.10.6 


TPM_DisabIeOwnerClear 




X 




8.11.2 


TPMJ3etCapabilitySigned 




X 


X 


8.11.3 


TPM_GetCapabilityOwner 




X 




8.12.2 


TPM_GetAuditEventSigned 




X 


X 


8.12.3 


TPM_SetOrdinalAuditStatus 




X 




8.14.1 


TPM_OwnerSetDisable 




X 




8.17 


TPM_SetRedirection 




X 


X 


9.2.3 


TPM_DisablePubekRead 




X 




9.2.4 


TPM_OwnerReadPubek 




X 




9.3.1 


TPM_Makeldentity 


x 


X 




9.3.4 


TPM_Activateidentity 


X 


X 
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5.2 Authorization protocols 
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5.2.1 OI-AP description 
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5.2.2 TPM_OIAP 
Type 

TCPA protected capability. 



■■■<- - IneomingOperands and Sizes- 



PARAM 


HMAC 


Type 


Name 


Description 


# 


sz 




sz 


1 


2 






TCPAJAG 


tag 


TPM_TAG_RQU_COMMAND 


2 


4 






UINT32 


paramSize 


Total number of input bytes including paramSize and tag 


3 


4 






TCPA_COMMAN DECODE 


ordinal 


Command ordinal, fixed value of TPM_ORD_0lAP. 


Outgoing Operands and Sizes 


PARAM 


HMAC 


Type 


Name 


Description 


# 


SZ 


n 


sz 


1 


2 






TCPAJTAG 


lag 


TPM_TAG_RSP_COMMAND 


2 


4 






UINT32 


paramSi2e 


Total number of output bytes including paramSize and tag 


3 


4 






TCPA.RESULT 


returnCode 


The return code oi the operation. See section 4.3. 


4 


4 






T C PA_A UT HH AN DL E 


aulhHandle 


Handle that TPM creates that points to the authorization state. 


5 


20 






TCPA.NONCE 


nonceEven 


Nonce generated by TPM and associated with session. 



Actions 

1. The TPM_OIAP command allows the creation of an authorization handle and the tracking of the 
handle by the TPM. The TPM generates the handle and nonce. 

2. The TPM has an internal limit as to the number of handles that may be open at one time, so the 
request for a new handle may fail if there is insufficient space available. 

3. Internally the TPM will do the following: 

a) TPM allocates space to save handle, protocol identification, both nonces and any other 
information the TPM needs to manage the session. 

b) TPM generates authHandle and nonceEven, returns these to caller 

4. On each subsequent use of the OIAP session the TPM MUST generate a new nonceEven value. 
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5.2.3 Authorization using an OI-AP session 




Actions 

perform the following actions: 

1. The TPM MUST verify that the authorization handle (H, say) referenced in the command points to 
a valid session. If it does not, the TPM returns the error code TCPA_AUTHFAIL 

2. The TPM SHALL retrieve the latest version of the caller's nonce (nonceOdd) and 
continueAuthSession flag from the input parameter list, and store it in internal TPM memory with 
the authSession 'H\ 

3. The TPM SHALL retrieve the latest version of the TPM's nonce stored with the authorization 
session H (authLastNonceEven) computed during the previously executed command. 

4. The TPM MUST retrieve the secret authorization data (SecretE, say) of the target entity. The 
entity and its secret must have been previously loaded into the TPM. 

5. The TPM SHALL perform a HMAC calculation using the entity secret data, ordinal, input 
command parameters and authorization parameters per section 4.4.2. 

6. The TPM SHALL compare HM to the authorization value received in the input parameters. If they 
are different, the TPM returns the error code TCPA_AUTHFAIL. Otherwise, the TPM executes 
the command which (for this example) produces an output that requires authentication. 

7. The TPM SHALL generate a nonce (nonceEven). 

8. The TPM creates an HMAC digest to authenticate the return code, return values and 
authorization parameters to the same entity secret per section 4.4.2 

9. The TPM returns the return code, output parameters, authorization parameters and authorization 
digest. 

10. If the output continueUse flag is FALSE, then the TPM SHALL terminate the session. Future 
references to H will return an error. 
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5.2.5 TPWLOSAP 



11111 

Type 

TCPA protected capability. 
Incoming Operands and Sizes 



PARAM 


NMAC 


Type 


Name 


Description 


if 


SZ 




SZ 




1 


2 






TCPAJfAG 


tag 


TPMJTAG_RQU_COMMAND 


2 


4 






UINT32 


paramSize 


Total number ot input bytes including paramSize and tag 


3 


4 






TCPA_COMMAND_CODE 


ordinal 


Command ordinal, fixed vaJue of TPM_ORD_OSAP. 


4 


2 






TCPA_ENTITY_TYPE 


entityType 


The type of entity in use 


5 


4 






UINT32 


entityVafue 


The selection value based on entityType, e.g. a keyHandle # 


^6 


20 






TCPA.NONCE 


nonceOddOSAP 


The nonce generated by the caller associated with the shared 
secret. 


Outgoing < 


Operands an 


d Sizes 


PARAM 


HMAC 


Type 


Name 


Description 


# 


SZ 


# 


SZ 


1 


2 






TCPAJTAG 


tag 


TPM_TAG_RSP_COMMAND 


2 


4 






UINT32 


paramSize 


Total number of output bytes including paramSize and tag 


3 


4 






TCPA_RESULT 


returnCode 


The return code of the operation. See section 4.3. ! 


4 


4 






TCPA_AUTHHANDLE 


authHandle 


Handle that TPM creates that points to the authorization state. 


5 


20 






TCPA_NONCE 


nonceEven 


Nonce generated by TPM and associated with session. 


6 


20 






TCPA.NONCE 


nonceEvenOSAP 


Nonce generated by TPM and associated with shared secret. 



Actions 

1 ' ^J£u-^^?^*?Lf™ % ' he Cfeation of an authori zation handle and the tracking of the 
handle by the TPM. The TPM generates the handle, nonceEven and nonceEvenOSAP. 

2 ' w e a n» M H aS T in1er ? a ! K! ° n ,he number of handles lhat ma y be ODen at °ne time, so the request 
for a new handle may fail if there is insufficient space available. 

3. The TPM OSAP allows the binding of an authorization to a specific entity. This allows the caller to 
contmue to send in authorization data for each command but not have to request the information or 
cache the actual authorization data. on 

4. Internally the TPM will do the following: 

a. TPM receives command. 
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• b. TPM generates new handle and reserves space to save protocol identification, shared 
secret, both nonces and any other information the TPM needs to manage the session. 

c. TPM generates nonces nonceEven and nonceEvenOSAP. 

d. The TPM calculates the shared secret using an HMAC calculation. The key for the HMAC 
calculation is the secret authorization data assigned to the key handle identified by 

~ " entityValue. The input to the HMAC calculation is the concatenation of nonces 
nonceEvenOSAP and nonceOddOSAP. The output of the HMAC calculation is the 
shared secret which is saved in the authorization area associated with authHandle 

Descriptions 

entityType = TCPA_ET_KEYHANDLE 

The entity to authorize is a key held in the TPM. entityValue contains the keyHandle that holds the key. 
entityType = TCPA_ET_OWNER 

This value indicates that the entity is the TPM owner. entityValue is ignored. 
entityType = TCPA_ET_SRK 

The entity to authorize is the SRK. entityValue is ignored. 
Usage 

On each subsequent use of the OSAP session the TPM MUST generate a new nonce value. 

The TPM MUST ensure that OS-AP shared secret is only available while the OS-AP session is valid. 

Termination 

The session MUST terminate upon any of the following conditions: 

• The entity is unloaded. 

• The entity has a change authorization performed on it. 

• The session is used in a TPM_ChangeAuth command. 

• The command that uses the session returns an error. 
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5.2.6 Authorization using an OS-AP session 




Actions 



On reception of a command with ordinal C1 that uses an authorization session, the TPM SHALL perform 
the following actions: 

1. The TPM MUST have been able to retrieve the shared secret (Shared, say) of the target entity when 
the authorization session was established with TPMJDSAP. The entity and its secret must have been 
previously loaded into the TPM. 

2. The TPM MUST verify that the authorization handle (H, say) referenced in the command points to a 
valid session. If it does not, the TPM returns the error code TPM_AUTHFAIL. 

3. The TPM MUST calculate the HMAC (HM1, say) of the command parameters according to section 
4.4.2 

4. The TPM SHALL compare HM1 to the authorization value received in the command. If they are 
different, the TPM returns the error code TPM_AUTHFAIL. Otherwise, the TPM executes command 
C1 which produces an output (O, say) that requires authentication and uses a particular return code 
(RC, say). 

5. The TPM SHALL generate the latest version of the even nonce (nonceEven). 

6. The TPM MUST calculate the HMAC (HM2) of the return parameters according to section 4.4.2 

7. The TPM returns HM2 in the parameter list. 

8. The TPM SHALL retrieve the continue flag from the received command. If the flag is FALSE, the TPM 
SHALL terminate the session and destroy the thread associated with handle H. 

If the shared secret was used to provide confidentiality for data in the received command, the TPM 
SHALL terminate the session and destroy the thread associated with handle H. 

Each time that access to an entity (key) is authorized using OSAP, the TPM MUST ensure that the OSAP 
shared secret is that derived from the entity using TPM^OSAP. 
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5.3 TPM_Terminate_Handle 




Type 

TCPA protected capability. 
Incoming Operands and Sizes 



PARAM 


HMAC 


Type ! 


Name 


Description 


# 


SZ 


# 


SZ 


1 


2 






TCPAJTAG 


tag 


TPM_TAG_RQU_COMMAND 


2 


4 






UINT32 


paramSize 


Total number of input bytes including paramSize and tag 


3 


4 






TCPA_COMMAND_CODE 


ordinal 


Command ordinal, fixed value of TPM.ORDJerminateJiandie. 


4 


4 






TCPA.AUTHHANDLE 


handle 


The handle to terminate 



Outgoing Operands and Sizes 



PARAM 


HMAC 


Type 


Name 


Description 


# 


SZ 


# 


SZ 


1 


2 






TCPA_TAG 


tag 


TPMJTAfc_RSP_COMMAND 


2 


4 






UINT32 


paramSize 


Total number of output bytes including paramSize and tag 


3 


4 






TCPA_RESULT 


returnCode 


The return code of the operation. See section 4.3. 



Descriptions 



A TPM SHALL unilaterally perform the actions of TPM_Terminate_Handle upon detection of the following 
events: 

• Completion of a received command whose authorization "continueUse" flag is FALSE. 

• Completion of a received command when a shared secret derived from the authorization session 
was exclusive-or'ed with data (to provide confidentiality for that data). This occurs during 
execution of a TPM_ChangeAuth command, for example. 

• When the associated entity is destroyed (in the case of TPM Owner or SRK, for example) 

• Upon execution of TPMJnit 

• When the command returns an error. This is due to the fact that when returning an error the TPM 
does not send back nonceEven. There is no way to. maintain the rolling nonces, hence the TPM 
MUST terminate the authorization session. 

• Failure of an authorization check belonging to that authorization session. 
Actions 

The TPM SHALL terminate the session and destroy all data associated with the session indicated. 
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The TPM MUST enable ADIP by using the OS-AP. The TPM MUST encrypt the authorization data for the 
new entity by performing an XOR using the shared secret created by the OS-AP. 

The TPM MUST destroy the OS-AP session whenever a new entity is created. 
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5 r 5 ADCP - Changing Authorization Data 




Changing authorization data for the TPM SHALL require authorization of the current TPM Owner. 



Changing authorization data for the SRK SHALL require authorization of the TPM Owner. 

If SRKAuth is a well known value, TPM_ChangeAuth SHOULD NOT be used to change the authorisation 
value of a child of the SRK, including the TPM identities. 

All other entities SHALL require authorization of the parent entity. 
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5.6 Changing authorization values 




Type 

TCPA protected capability; user must provide authorizations for the entity pointed to by parentHandle and 
inData. 

Incoming Operands and Sizes 



PARAM 


HMAC 


Type 


Name 


Description 


# 


SZ 




SZ 






1 


2 






TCPA_TAG 


tag 


TPM_TAG^RQU^AUTH2_COMMAND 


2 


4 






UINT32 


paramSize 


Total number of input bytes including paramSize and 
tag 


3 


4 


1s 


4 


TCPA_COMMAND_CODE 


ordinal 


Command ordinal, fixed at TPM_ORD_ChangeAuth 


4 


4 






TCPA_KEY_HAN DLE 


parentHandle 


Handle of the parent key to the entity. 


5 


2 


2s 


2 


TCPA.PROTOCOLJD 


protocollD 


The protocol in use. 


6 


20 


3s 


20 


TCPA_ENCAUTH 


newAuth 


The encrypted new authorization data for the entity. 
The encryption key is the shared secret from the OS- 
AP protocol. 


7 


2 


4s 


2 


TCPA_ENTITY_TYPE ' 


enlityType 


The type of entity lo be modified 


8 


4 


5s 


4 


UINT32 


encDataSize 


The size of the encData parameter 


9 


o 


6s 


<> 


BYTE[] 


encData 


The encrypted entity that is to be modified. 


to 


4 






TCPA.AUTHHANDLE 


parentAulhHandle 


The authorization handle used for the parent key. 






2hi 


20 


TCPA_NONCE 


aulhLaslNonceEven 


Even nonce previously generated by TPM to cover 
inputs 


11 


20 


3 hi 


20 


TCPA.NONCE 


nonceOdd 


Nonce generated by system associated with 
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• 


parentAuthHandle 


12 


/ 


4 m 


/ 


BOOL 


conlinueAulhSession 


Ignored, parentAuthHandle is always terminated. 


13 


20 






TCPA_AUTHDATA 


parenlAuth 


The authorization digest for inputs and parentHandle. 
HMAC key: parentKey.usageAuth. 


14 


4 






TCPA_AUTHHANDLE 


entityAuthHandle 


i ne auinorizaiiun iidiiuic uocu iui uic cnoiyjjiwj cm my. 
The session type MUST be OIAP 






2H2 


20 


TCPA_NONCE 


entitylastNonceEven 


Even nonce previously generated by TPM 


15 


20 


3H2 


20 


TCPAJJONCE 


entitynonceOdd 


Nonce generated by system associated with 
entityAuthHandle 


16 


1 


4H2 


1 


BOOL . 


continueEntitySession 


Ignored, entityAuthHandle is always terminated. 


17 


20 






TCPAJVUTHDATA 


enlityAuth 


The authorization digest for the inputs and encrypted 
entity. HMAC key: entity.usageAuth. 



Outgoing Operands and Sizes 



PARAM 


HMAC 


Type 


Name 


Description 


# 


SZ 


-# 


SZ 


1 


2 






TCPAJTAG 


tag 


TPM_TAG_RSP_AUTH2_COMMAND 


2 


4 






U1NT32 


paramSize 


Total number of output bytes including paramSize and tag 


3 


4 


1s 


4 


TCPA_RESULT 


returnCode 


The return code of Ihe operation. See section 4.3. - 






2s 


4 


TCPA_COMMAND_CODE 


ordinal 


Command ordinal, fixed value of TPM_ORD_ChangeAuth 


4 


4 


3s 


4 


U1NT32 


outDataSize 


The used size of the output area for outData 


5 


<> 


4s 


<> 


BYTE[] 


outData 


The modified, encrypted entity. 


6 


20 


2hi 


20 


TCPA.NONCE 


nonceEven 


Even nonce newly generated by TPM to cover outputs 






3 m 


20 


TCPA^NONCE 


nonceOdd 


Nonce generated by system associated with 
parentAuthHandle 


7 


1 


4 hi 


1 


BOOL 


continueAuthSession 


Continue use flag, fixed value of FALSE 


8 


20 






TCPA.AUTHDATA 


resAuth 


The authorization digest for the returned parameters and 
parentHandle. HMAC key: parentKey.usageAuth. 


9 


20 


2H2 


20 


TCPA^NONCE 


entityNonceEven 


Even nonce newly generated by TPM to cover entity 






3H2 


20 


TCPA^NONCE 


entitynonceOdd 


Nonce generated by system associated with 
entityAuthHandle 


10 


1 


4H2 


1 


BOOL 


entityContinueAuthS 
ession 


Continue use flag, fixed value of FALSE 


11 


20 






TCPA_AUTHDATA 


entityAuth 


The authorization digest for the returned parameters and 
entity. HMAC key: newly changed entity.usageAuth. 



Descriptions 

A TPM MUST support the TPM_PID_ADCP protocol. 
TPM_PID_ADCP protocol descriptions 

The parentAuthHandle session type MUST be TCPA_PID_OSAP. 



Version 1.1a 1 December 2001 



TCPA Main Specification 



Page 120 



TPM_P!D_ADCP protocol actions 

1. Verify that eniityType is one of TC P A_ ET_ DATA, TCPA_ET_KEY and return the error 
TCPA_WRONG_ENTITYTYPE if not. 

2. The encData field MUST be the encData field from either the TCPA_STORED DATA or TCPA KEY 
structures. 

_3. Create st string by concatenating (parentAuthHandle -> shared secret || authLastNonceEven) 
4; Create x1 by performing a SHA1 hash of s1 

5. Create decryptAuth by XOR of x1 and newAuth. 

6. parentAuthHandle MUST be built using the parent entity's authorization data. 

7. The TPM MUST validate the command using the authorization data in the parentAuth parameter The 
parentRef parameter provides the identification of the parent. 

8. After parameter validation the TPM creates b1 by decrypting inData using the key pointed to bv 
parentHandle. J 

9. The TPM MUST validate that b1 is a valid TCPA structure by verifying that the command has been 
authorized to use the blob. This checks that 20B of the decrypted blob have the proper value and 
provides statistical proof that the blob was correctly decrypted. 

10. The TPM replaces the authorization data for b1 with decryptAuth created above. 

11. The TPM encrypts b1 using the appropriate mechanism for the type using the parentKeyHandle to 
provide the key information. 

12. The new blob is returned in outData when appropriate. 

13. The TPM MUST enforce the destruction of both the parentAuthHandle and entitvAuthHandle 
sessions. J 
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5.6.2 TPM_ChangeAuthOwner 




Type 

TCPA protected capability; user must provide authorizations from the TPM Owner 
Incoming Operands and Sizes 



PARAM 


HMAC 


Type 


Name 


Descriptor) 


# 


sz 


# 


SZ 


1 


2 






TCPA_TAG 


tag 


T PM_TAG_RQU_AUTH 1 _COMMAN D 


2 


4 






UINT32 


paramSize 


Total number of input bytes including paramSize and tag 


3 


4 


1s 


4 


TCPA_COM MAN DECODE 


ordinal 


Command ordinal: TPM_ORD_ChangeAuthOwner 


4 


2 


2s 


2 


TCPA_PROTOCOL_ID 


protocollD 


The protocol in use. 


5 


20 


3s 


20 


TCPAJENCAUTH 


newAuth 


The encrypted new authorization data for the entity. The 
encryption key is the shared secret from the OS-AP 
protocol. 


6 


2 


4s 


2 


TCPA_ENTlTYJTYPE 


entityType 


The type of entity to be modified 


7 


4 






TCPAJUJTHHANDLE 


ownerAuthHandle 


The authorization handle used for the TPM Owner. 






2 m 


20 


TCPA_NONCE 


authLastNonceEven 


Even nonce previously generated by TPM to cover inputs 


8 


20 


3 m 


20 


TCPA_NONCE 


nonceOdd 


Nonce generated by system associated with 
ownerAuthHandle 


9 


1 


4hi 


1 


BOOL 


continueAuthSession 


Continue use flag the TPM ignores this value 


10 


20 






TCPAJWTHDATA 


ownerAuth 


The authorization digest for inputs and ownerHandle. 
HMAC key: tpmOwnerAuth. 
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Outgoing Operands and Sizes 



PARAM 


HMAC 


Type 


Name 


Description 


# 


SZ 




OA. 




1 


2 








lag 


TPM_TAG_RSP_AUTH1_C0MMAND 


2 


4 






UINT32 


paramSize 


Total number of output bytes including paramSize and tag 


3 


4 


1s 


4 


TCPA_RESULT 


relurnCode 


The return code of the operation. See section 4.3. 






2s 


4 


TCPA_COMMAND_CODE 


ordinal 


Command ordinal TPMjDRD_ChangeAuthOwner 


4 


20 


2 hi 


20 


TCPA.NONCE 


nonceEven 


Even nonce newly generated by TPM to cover outputs 






3 hi 


20 


TCPA_NONCE 


nonceOdd 


Nonce generated by system associated with 
ownerAuthHandle 


5 


1 


4 m 


1 


BOOL 


continueAuthSession 


Continue use flag, fixed value of FALSE 


6 


20 






TCPA.AUTHDATA 


resAuth 


The authorization digest for the returned parameters and 
ownerHandle. HMAC key: tpmOwnerAuth. This is the new 
tpmOwnerAuth value if this command changed that value. 



Descriptions 

A TPM MUST support the TPM_PID_ADCP protocol. 

In this capability, the SRK cannot be accessed as entityType TCPA_ET_KEY, since the SRK is not 
wrapped by a parent key. 

TPM_PID_ADCP protocol descriptions 

The ownerAuthHandle session type MUST be TCPA_PID_OSAP. 
TPMLPID_ADCP protocol actions 

1- ^wSo»r T V^E h S'ni CP ^ ET - OWNER ° r TCPA - ET - SRI <. - — » *» — 

2. The ownerAuthHandle -> entityType MUST be TCPA_ET_OWNER. 

3. Create s1 string by concatenating (ownerAuthHandle -> shared secret || authLastNonceEven) 

4. Create x1 by performing a SHA1 hash of s1 

5. Create decryptAuth by XOR of x1 and newAuth. 

6. The TPM MUST enforce the destruction of the ownerAuthHandle session upon completion of this 
command (successful or unsuccessful). This includes setting continueAuthSession to FALSE 

7. Set the authorization data for the indicated entity to decryptAuth 
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5.7 Asymmetric Authorization Change Pr otocol 

m 




If SRKAuth is a well known value, 

TPM ChangeAuthAsymStart and TPM_ChangeAuthAsymFinish SHOULD be used to change the 
authorisation value of a child of the SRK. including the TPM identrt.es. 
All other entities SHALL involve authorization of the parent entity. 
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5.7.1 TPWLChangeAuthAsymStart 




TCPA protected capability; user must provide authorization for the identity in idHandle. 
Incoming Operands and Sizes 



PARAAf 


HMAC 


Type 


Name 


Description 


# 


SZ 




SZ 




1 


2 






TCPA.TAG 


tag 


TPM_TAG_RQU_AUTH1 .COMMAND 


2 


4 






UINT32 


paramSi2e 


Total number of input bytes including paramSize and tag 


3 


4 


1s 


4 


TCPA_COMMAND_CODE 


ordinal 


Command ordinal: TPM_ORD_ChangeAuthAsymStart. 


4 


4 






TCPA_KEY_HANDLE 


idHandle 


The keyHandle identifier of a loaded identity ID key 


5 


20 


2s 


20 


TCPA^NONCE 


antiReplay 


The nonce to be inserted into the certrfylnfo structure 


6 


<> 


3s 


<> 


TCPA_KEY_PARMS 


tempKey 


Structure contains all parameters of ephemeral key. 


7 


4 






TCPA^AUTHHANDLE 


aulhHandle 


The authorization handle used for idHandle authorization. 






2 HI 


20 


TCPA^NONCE 


authLastNonceEven 


Even nonce previously generated by TPM to cover inputs 


8 


20 


3hi 


20 


TCPA^NONCE 


nonceOdd 


Nonce generated by system associated with authHandle 


9 


1 


4 hi 


1 


BOOL 


continueAuthSession 


The continue use flag for the authorization handle 


10 


20 






TCPA_AUTHDATA 


idAuth 


The authorization digest for inputs and idHandle. HMAC j 
key: idKey.usageAuth. 
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Outgoing Operands and Sizes 



PARAM 


HMAC 


Type 


Name 


Description 


Tr 


SZ 


# 


SZ 


1 


2 






TCPA.JAG 


tag 


TPM_TAG_RSP_AUTH1 ..COMMAND 


2 


4 






UINT32 


paramSize 


Total number of output bytes including paramSize and tag 


3 


4 


1s 


4 


TCPAJ\cSULT 


reiurnooue- 


Thp rati irn rjvtp nf thp nnpration See section 4 3 






2s 


4 


TCPA_COMMANU_UUUt 


oroinai 


Pnmmanfi nrriinal* TPM ORD ChanaeAuthAsvmStart 


7 


95 


3s 


95 


TCPA_CERTIrYJNrU 


certify Info 


Thp rpriifvlnfn Qtniriiirp that i<5 to hp ^ifinpd 

1 lie OClUiyil IIU all UOtUlC lliai lo l\J Usi ciyiicu. 


8 


4 


4s 


4 


UINT32 


sigSize 


The used size of the output area for the signature 


9 


<> 


5s 


<> 


BYTE[] 


sig 


The signature of the ceriifylnfo parameter. 


10 


4 


6s 


4 


TCPA_KEY_HANDLE 


ephHandle 


The keyHandle identifier to be used by 
ChangeAuthAsymFinish for the ephemeral key 


11 


<> 


7s 


o 


TCPAJ<EY 


tempKey 


Structure containing all parameters and public part of 
ephemeral key. TCPA_KEY.encSize is set to 0. 


12 


20 


2 m 


20 


TCPAJJONCE 


nonceEven 


Even nonce newly generated by TPM to cover outputs 






3hi 


20 


TCPA_NONCE 


nonceOdd 


Nonce generated by systeraassociated with authHandle 


13 


/ 


4hi 


1 


BOOL 


coniinueAuthSessi 
on 


Continue use flag, TRUE if handle is still active 


14 


20 




I TCPA_AUTHDATA 


resAuth 


The authorization digest for the returned parameters. 
HMAC key: idKey.usageAuth. 



Actions 

1. The TPM SHALL verify the authorization to use the TPM identity key held in idHandle. The TPM 
MUST verify that the key is a TPM identity key. 

2. The TPM SHALL validate the algorithm parameters for the key to create from the tempKey 
parameter. 

a. Recommended key type is RSA 

b. Minimum RSA key size MUST is 512 bits, recommended RSA key size is 1024 

c. For other key types the minimum key size strength MUST be comparable to RSA 512 

3. The TPM SHALL create a new key (k1) in accordance with the algorithm parameter. The newly 
created key is pointed to by ephHandle. 

4. The TPM SHALL fill in all fields in tempKey using k1 for the information. The TCPA_KEY -> encSize 
MUST be 0. 

5. The TPM SHALL fill in ceriifylnfo using k1 for the information. The certifylnfo -> data field is supplied 
by the anliReplay. 

6. The TPM then signs the certifylnfo parameter using the key pointed to by idHandle. The resulting 
signed blob is returned in sig parameter 
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Field Descriptions for certifylnfo parameter 





Name 


Description 


TCPA VFR^inW 

l vr r\__ v Cr\0 IL^JM 


version 


TCPA version structure; section 4.5. 


keyFlags 


Redirection 


This SHALL be set to FALSE 




Migratable 


This SHALL be set to FALSE 




Volatile 


This SHALL be set to TRUE 


TCPA.AUTH DATA 
.USAGE 


authDataUsage 


This SHALL be set to TPM_AUTH_NEVER 


TCPA_KEY_USAGE 


KeyUsage 


This SHALL be set to TPM_KEY_AUTHCHANGE 


UINT32 


PCRInfoSize 


This SHALL be set to 0 


TCPA_DIGEST 


pubDigest 


This SHALL be the hash of the public key being 
certified. 


TCPA_NONCE 


Data 


This SHALL be set to antiReplay 


TCPA_KEY_PARMS 


info 


This specifies the type of key and its parameters. 


BOOL 


parent PCRSt a tus 


This SHALL be set to FALSE. 
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5.7.2 TPM_ChangeAuthAsymFinish 



wmm 



Type 

TCPA protected capability; caller must provide authorizations for the entity pointed to by parenlRef and 
blob. 



Incoming Operands and Sizes 



PARAM 


HMAC 


Type 


Name 


Description 


# 


SZ 




SZ 


1 


2 






TCPA_TA6 


tag 


TPMJ"AG_RQU_AUTH1_C0MMAND 


2 


4 






UINT32 


paramSize 


Total number of input bytes including paramSize and tag 


3 


4 


1s 


4 


TCPA_COMMAND_CODE 


ordinal 


Command ordinal: TPMJDRD_ChangeAuthAsymFinish 


4 


4 






TCPA_KEY_HAN DLE 


parentHandle 


The keyHandle of the parent key for the input data 


5 


4 






TCPA_KEY_HAN DLE 


ephHandle 


The keyHandle identifier for the ephemeral key 


6 


2 


3s 


2 


TCPA_ENTITY_TYPE 


entityType 


The type of entity to be modified 


7 


20 


4s 


20 


TCPAJHMAC 


newAuthLink 


HMAC calculation that links the old and new authorization 
values together 


8 


4 


5s 


4 


UINT32 


newAuthSize 


Size of encNewAuth 


9 


<> 


6s 


<> 


BYTE[] 


encNewAuth 


New authorization data encrypted with ephemeral key. 


10 


4 


7s 


4 


UINT32 


encDataSize 


The size of the inData parameter 


11 


<> 


8s 


o 


BYTE[] 


encData 


The encrypted entity that is to be modified. 


12 


4 






TCPA_AUTHHANDLE 


authHandle 


Aulhorization for parent key. 






2 m 


20 


TCPAJJONCE 


authLastNonceEven 


Even nonce previously generated by TPM to cover inputs 


13 


20 


3hi 


20 


TCPA_NONCE 


nonceOdd 


Nonce generated by system associated with authHandle 


14 


1 


4hi 


1 


BOOL 


continueAuthSession 


The continue use flag for the authorization handle 


15 


20 






TCPA_AUTHDATA 


privAuth 


The authorization digest for inputs and parentHandle. 
HMAC key: parentKey.usageAuth. 
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Outgoing Operands and Sizes 



PARAM 


HMAC 


Type 


Name 


Description 

i 


# 


SZ 




SZ 




1 


2 






TCPA_TAG 


tag 


TPM_TAG_RSP_AUTH1 ..COMMAND 


2 


4 






UINT32 


paramSize 


Total number of output bytes including paramSize and tag 


J 


4 


A _ 

*s 


4 


TCPA_RESULT 


returhCode 


The return code of the operation. See section 4.3. 






2s 


4 


TCPA_C0 M MAND_CODE 


ordinal 


Command ordinal: TPM^ORD^ChangeAuthAsymRnish 


4 


4 


3s 


4 


UINT32 


outDataSize 


The used size of the output area for outData 


5 


o 


4s 


<> 


BYTE[J 


outData 


The modified, encrypted entity. 


6 


20 


5s 


20 


TCPA.NONCE 


saltNonce 


A nonce value from the TPM RNG to add entropy to the 
changeProof value 


7 


<> 


6s 


<> 


TCPA__DIGEST 


changeProof 


Proof that authorization data has changed. 


8 


20 


2 HI 


20 


TCPA_NONCE 


nonceEven 


Even nonce newly generated by TPM to cover outputs 






3 m 


20 


TCPA_NONCE 


nonceOdd 


Nonce generated by system associated with authHandte 


9 


1 


4 m 


1 


BOOL 


continueAuthSession 


Continue use flag, TRUE if handle is still active 


10 


20 






TCPA_AUTHDATA 


resAuth 


The authorization digest for the returned parameters. 
HMAC key: parentKey.usageAuth. 



Description 



If the parentHandle points to the SRK then the HMAC key MUST be built using the TPM Owner 
authorization. 

Actions 

1. The TPM SHALL validate that the authHandle parameter authorizes use of the key in parentHandle. 

2. The encData field MUST be the encData field from TCPA_ ST O R E D_ DATA or TCPA_KEY. 

3. The TPM SHALL create e1 by decrypting the entity held in the encData parameter. 

4. The TPM SHALL create a1 by decrypting encNewAuth using the authHandle -> 
TPM_KEY_AUTHCHANGE private key. a1 is a structure of type TCPA_CHANGEAUTH_VALIDATE. 

5. The TPM SHALL create b1 by performing the following HMAC calculation: b1 = HMAC (a1 -> 
newAuthSecret). The secret for this calculation is encData -> currentAuth. This means that b1 is a 
value built from the current authorization value (encData -> currentAuth) and the new authorization 
value (a1 -> newAuthSecret). 

6. The TPM SHALL compare b1 with newAuthLink. The TPM SHALL indicate a failure if the values do 
not match. 

7. The TPM SHALL replace e1 -> authData with a1 -> newAuthSecret 

8. The TPM SHALL encrypt e1 using the appropriate functions for the entity type. The key to encrypt 
with is parentHandle. 

9. The TPM SHALL create saltNonce by taking the next 20 bytes from the TPM RNG. 

10. The TPM SHALL create changeProof a HMAC of (saltNonce concatenated with a1 -> n1) using a1 -> 
newAuthSecret as the HMAC secret. 

11. The TPM MUST destroy the TPM_KEY_AUTHCHANGE key associated with the authorization 
session. 
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The TPM MUST reseive 160 bits for the authorization data. The TPM treats the authorization data as a 
blob. The TPM MUST keep the authorization data in a shielded location. 

The TPM MUST enforce that the only usage in the TPM of the authorization data is to perform 
authorizations. 
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5.9 Nonces 




The requestor SHOULD provide a unique value in the odd nonce field of the authorization structure for 
each request. The TPM MAY enforce the uniqueness of values from the requestor. 



The TPM MUST supply a new nonce value for each reply. The nonce value MUST come from the internal 
RNG. The TPM MUST enforce the validity of the returning nonce another command uses the 
authorization session. 
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5.10 Authorization Handle 




The TPM MUST support authorization handles. The TPM MUST support a minimum of two concurrent 
authorization handles. 



The TPM MUST support authorization-handle termination. The termination includes secure deletion of all 
authorization session information. 
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5.11 TPM Ownership 




The TPM MUST ship with no Owner installed. The TPM MUST use the ownership-control protocol. 
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5.11.1 TPWLTakeOwnership 
Type 

TCPA protected capability; user must encrypt the values using the PUBEK. 



Incoming Operands and Sizes 



PARAM 


HMAC 


Type 


Name 


Description 


# 


SZ 


# 


SZ 




1 


2 






TCPA.TAG 


tag 


T PM_TAG_RQU_AUTH1_COMMAND 


2 


4 






UINT32 


paramSize 


Total number of input bytes including paramSize and 
tag 


3 


4 


1s 


4 


TCPA_COMMAND_CODE 


ordinal 


Command ordinal: TPM_ORD_TakeOwnership 


4 


2 


2s 


2 


TCPA_PROTOCOLJD 


protocol ID 


The ownership protocol in use: 


5 


4 


3s 


4 


UINT32 


encOwnerAuthSize 


The size of the encOwnerAuth field 


fi 
o 


<> 


4<! 


<> 


BYTEf] 


encOwnerAuth 


The owner authorization data encrypted with PUBEK 


7 


4 


5s 


4 


UINT32 


encSrkAuthSize 


The size of the encSrkAuth field 


8 


256 


6s 


256 


BYTE[] 


encSrkAuth 


The SRK authorization data encrypted with PUBEK 


9 


<> 


7s 


<> 


TCPA^KEY 


srkParams 


Structure containing all parameters of new SRK. 
pubKey.keyLenglh & encSize are both 0 


10 


4 






TCPA^AUTHHANDLE 


authHandle 


The authorization handle used for this command 






2 m 


20 


TCPA_NONCE 


aulhLastNonceEven 


Even nonce previously generated by TPM to cover 
inputs 


11 


20 


3 m 


20 


TCPA_NONCE 


nonceOdd 


Nonce generated by system associated with | 
authHandle 


12 


1 


4hi 


1 


BOOL 


conlinueAuthSession 


The continue use flag for the authorization handle 


13 


20 






TCPAJVUTHDATA 


ownerAuth 


Authorization digest for input params. HMAC key: the 
new ownerAuth value. See actions for validation 
operations 


Outc 


joing C 


)perand 


s and Sizes 


PARAM 


HMAC 


Type 


Name 


Description 


# 


SZ 


ft 


SZ 


1 


2 






TCPA_TAG 


tag 


TPM_TAG_RSP_AUTH1 ..COMMAND 


2 


4 






UINT32 


paramSize 


Total number of output bytes including paramSize and tag 


3 


4 


1s 


4 


TCPA^RESULT 


returnCode 


The return code of the operation. See section 4.3. 






2s 


4 


TCPA„COMMAND_CODE 


ordinal 


Command ordinal: TPMJDRDJakeOwnership 


4 


<> 


3s 


<> 


TCPA^KEY 


srkPub 


Structure containing all parameters of new SRK. 
srkPub.encData is set to 0. 


5 


20 


2 m 


20 


TCPA.NONCE 


nonceEven 


Even nonce newly generated by TPM to cover outputs 






3 HI 


20 


TCPA^NONCE 


nonceOdd 


Nonce generated by system associated with authHandle 
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6 


/ 


4hi 


/ 


BOOL 


continueAulhSession 


Continue use flag, TRUE if handle is still active 


7 


20 






TCPA_AUTHDATA 


resAuth 


The authorization digest for the returned parameters. 
HMAC key: the new ownerAuth value 



Actions 

The new owner MUST encrypt the Owner authorization data and the SRK authorization data using the 
PUBEK. The endorsement key pair MUST be an RSA key so the encryption algorithm in use to encrypt 
these secrets is RSA. 

If the TPM has a current owner then the TPM upon receipt of this command SHALL return the error code 
TCPA_OWNER_SET. 

If the TPM has no current owner then the TPM upon receipt of this command SHALL: 

1. If no EK is present the TPM MUST return TCPA_NO_ENDORSEMENT 

2. If TCPA_PERSISTENT_FLAGS -> ownership is FALSE, the TPM SHALL abandon the process of 
granting ownership and return the error TCPA_ I NSTA LL_ D I SAB LED 

3. Verify that the authorization session is of type OI-AP. 

4. Decrypt EneOwnerAuth using the PRIVEK to generate ProspectiveOwnerAuth. 

5. Use the TCPA authorization protocol to verify that all input parameters tagged with AUTH have been 
sent by an entity that knows ProspectiveOwnerAuth. 

6. Store ProspectiveOwnerAuth as the Owner's authorization data. 

7. Generate a new SRK in accordance with the algorithm parameter. In version 1 of the specification, 
algorithm MUST indicate a 2048 bit RSA key. 

8. Verify that srkParams->keyUsage is TPM_KEY_STORAGE. If it is not return 
TCPA_BAD_PARAMETER M . 

9. Verify that srkParams->keyFlags->migratable is FALSE. If it is not, return TCPA_BAD_PARAMETER" 

10. Decrypt EncSrkAuth using the PRIVEK and store the result as the SRK's authorization data. 

11. Obtain a TCPA_ NONCE from the TPM's Random Number Generator and store it as 
TCPA_PERSISTENT_DATA -> tpmProof. tpmProof SHALL be stored in TCPA shielded locations, 
only. 

12. Return the public part of the SRK to the caller. 

13. Calculate an authenticated response using the new authorization data 
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6. Integrity Collection and Reporting 
6.1 Introduction 
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6.2 Platform Configuration Registers 

6.2.1 Format and Properties 

A Platform Configuration Register (PCR) consists of a 160-bit field that holds a cumulatively updated 
hash value and a 4-byte status field. The PCR data structure MUST be a TCPA-shielded location. PCRs 
SHOULD be in volatile storage. The PCRs MUST be set to 0 before first use. This specification does not 
mandate the internal storage format. 

A TPM implementation MUST provide 16 or more independent PCRs. These PCRs are identified by index 
and MUST be numbered from 0 (that is, PCR 0 through PCR 15 are required for TCPA compliance). 
Vendors MAY implement more registers for general-purpose use. Extra registers MUST be numbered 
contiguously from 16 up to max - 1, where max is the maximum offered by the TPM. 

The TCPA-protected capabilities that expose and modify the PCRs use a 32-bit index, indicating the 
maximum usable PCR index. However, TCPA reserves register indices 2 30 and higher for later versions of 
the specification. A TPM implementation MUST NOT provide registers with indices greater than or equal 
to 2 30 . In this specification, the following terminology is used (although this internal format is not 
mandated). 

6.2.2 Initialization 

PCRs and the protected capabilities that operate upon them MAY NOT be used until power-on self-test 
(TPM POST) has completed. If TPM POST fails, the TPM_Extend operation will fail; and, of greater 
importance, the TPM_Quote operation and TPM_Seal operations that respectively report and examine 
the PCR contents MUST fail. At the successful completion of TPM POST, all PCRs MUST be set to 0 
Additionally, the UINT32 flags MUST be set to zero. 

6.2.3 Authorized PCRs 

A TPM MUST provide one Data Integrity Register (DIR). Implementations MAY provide more. These 
registers MUST hold 160-bit values and MUST be held in TCPA-shielded locations. Further, these 
registers MUST be non-volatile (values are maintained during the power-off state). A TPM implementation 
need not provide the same number of DIRs as PCRs. 
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6.3 Operations Supporting Integrity Collection and Reporting 

6.3.1 TPNLExtend 
Type 

TCPA protected capability. 



Incoming Operands and Sizes 



PARAM 


HMAC 


Type 


Name 


Description 


# 


SZ 


# 


SZ 


1 


2 






TCPAJTAG 


tag 


T PM_TAG_RQU_COMMAND 


2 


4 






UINT32 


paramSize 


Total number of input bytes including paramSize and tag 


3 


4 






TCPAJ30MMAND_C0DE 


ordinal 


Command ordinal, fixed value of TPM_ORD_Extend. 


4 


4 






TCPA_PCRINDEX 


paNum 


The PCR to be updated. 


5 


20 






TCPA.DIGEST 


inDigest 


The 160 bit value representing the event to be recorded. 


Outc 


joing ( 


3perar 


ids an 


d Sizes 


PARAM 


HMAC 


Type 


Name 


Description 


# 


SZ 


# 


SZ 


1 


2 






TCPAJTAG 


lag 


TPM_TAG_RSP_COMMAND 


2 


4 






UINT32 


paramSize 


Total number of output bytes including paramSize and lag 


3 


4 






TCPA_RESULT 


returnCode 


The return code of the operation. See section 4.3. 


4 


20 






TCPA_PCRVALUE 


outDigest 


The PCR value after execution of the command. 



Descriptions 

TPM_Extend, TPM_SHA1CompleteExtend and TPM_ Startup SHALL be the only commands that alter the 
value of any PCRs. 

When TCPA_PERSISTENT_FLAG -> disable is TRUE, TPM_Extend SHALL update the target PCR but 
return zero instead of the new value of the PCR. 

Actions 

1. Create d by concatenating (PCR }nde x TCPA_PCRVALUE || inDigest). This takes the current PCR 
value and concatenates the inDigest parameter. 

2. Create hi by performing a SHA1 digest of d. 

3. Store hi as the new TCPA_PCRVALUE of PCR lnde x 

4. If TCPA_PERSISTENT_FLAG -> disable is TRUE 

a. Set outDigest to 20 bytes of 0x00 ' 

5. Else 

a. Set outDigest to hi 
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6.3.2 TPM_PcrRead 



Type 

TCPA protected capability 
Incoming Operands and Sizes 



PARAM 


HMAC 


Type 


Name 


Description 


# 


SZ 


# 


SZ 




1 


2 






TCPAJTAG 


tag 


TPM.TAGJRGILCOMMAND 


2 


4 






UINT32 


paramSize 


Total number of input bytes including paramSize and tag 


3 


4 






TCPA_COMMAND_CODE 


ordinal 


Command ordinal, fixed value of TPM_ORD_PcrRead. 


4 


4 






TCPA_PCRINDEX 


pcrlndex 


Index of the PCR to be read 


Outgoing ( 


Operands an 


d Sizes 


PARAM 


HMAC 


Type 


Name 


Description 


# 


SZ 


# 


SZ 


1 


2 






TCPA_TAG 


lag 


TPMJ7VG_RSP_C0MMAND 


2 


4 






UINT32 


paramSize 


Total number of output bytes including paramSize and tag 


3 


4 






TCPA_RESULT 


returnCode 


The return code of the operation. See section 4.3. 


4 


20 






TCPA_PCRVALUE 


outDigest 


The current contents of the named PCR 



Actions 

The TPM_PcrRead operation returns the current contents of the named register to the caller. 
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6.3.4 TPWLDirWriteAuth 



Type. 

TCPA protected capability; the user must 
Incoming Operands and Sizes 



provide authorization from the TPM Owner to execute function. 



PARAM 


HMAC 


Type 


Name 


Description 


# 


SZ 


# 


SZ 


t 


2 






TCPA.TAG 


tag 


TPM_TAG_RQU_AUTH1_COMMAND 


2 


4 






UINT32 


paramSize 


Total number of input bytes including paramSize and tag 


3 


4 


1s 


4 


TCPA_COMMAND_CODE 


ordinal 


Command ordinal: TPM JDRD JDirWriteAuth. 


4 


4 


2s 


4 


TCPA.DIRINDEX 


dirlndex 


Index of the DIR 


5 


20 


3s 


20 


TCPA„D I RVALUE 


newContents 


New value to be stored in named DIR 


6 


4 






TCPA_AUTH HANDLE 


authHandle 


The authorization handle used for command. 






2 HI 


20 


TCPA_NONCE 


aulhLastNonceEven 


Even nonce previously generated by TPM to cover inputs 


7 


20 


3 m 


20 


TCPA_NONCE 


nonceOdd 


Nonce generated by system associated wilh authHandle 


8 


1 


4hi 


1 


BOOL 


continueAuthSession 


The continue use flag for the authorization handle 


9 


20 






TCPA_AUTHDATA 


ownerAuth 


The authorization digest for inputs. HMAC key: 
ownerAuth. 


Outc 


joing ( 


Dperanc 


is and 


Sizes 


PARAM 


HMAC 


Type 


Name 


Description 


# 


SZ 


# 


SZ 


1 


2 






TCPA.TAG 


tag 


TPM_TAG_RSP_AUTH1 .COMMAND 


2 


4 






UINT32 


paramSize 


Total number of output bytes including paramSize and lag 


3 


4 


1s 


4 


TCPA_RESULT 


returnCode 


The return code of the operation. See section 4.3. 






2s 


4 


TCPA_COMMAND_CODE 


ordinal 


Command ordinal: TPM_ORD_DirWriteAuth 


4 


20 


2 HI 


20 


TCPAJMONCE 


nonceEven 


Even nonce newly generated by TPM to cover outputs 






3 HI 


20 


TCPA_NONCE 


nonceOdd 


Nonce generated by system associated with authHandle 


5 


1 


4 HI 


1 


BOOL 


continueAuthSession 


Continue use flag, TRUE if handle is still active 


6 


20 






TCPA_AUTHDATA 


resAuth 


The authorization digest for the returned parameters. 
HMAC key: ownerAuth. 
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Actions 

1. Validate that authHandle contains a TPM Owner authorization to excute the TPM DirWriteAuth 
command " 

2: Validate that dirlndex points to a valid DIR on this TPM 

3. Write newContents into the DIR pointed to by dirlndex 
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6.3.5 TPNLDirRead 




Type 

TCPA protected capability. 
Incoming Operands and Sizes 



PARAM 


HMAC 


Type 


Name 


Description 


# 


SZ 


# 


SZ 






1 


2 






TCPA.TAG 


tag 


TPM_TAG_RQlLCOMMAND 


2 


4 






UINT32 


paramSize 


Total number of input bytes including paramSize and tag 


3 


4 






TCPA_COMMAND_CODE 


ordinal 


Command ordinal, fixed value of TPM_ORDDirRead. 


4 


4 






TCPA.DIRINDEX 


dirlndex 


Index of the DIR to be read 



Outgoing Operands and Sizes 



PA/MM 


HMAC 


Type 


Name 


Description 


§ 


SZ 


# 


SZ 


1 


2 






TCPAJAG 


tag 


T PM_TAG_RSP_COMMAND 


2 


4 






UINT32 


paramSize 


Total number of output bytes including paramSize and tag 


3 


4 






TCPA_RESULT 


returnCode 


The return code of the operation. See section 4.3. 


4 


20 






TCPA.DIRVALUE 


dirContents 


The current contents of the named DIR 


Act 


ions 









1. Validate that dirlndex points to a valid DIR on this TPM 

2. Return the contents of the DIR in dirContents 
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7. Protected Storage 
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7.1 Introduction 



7.1.1 Characteristics 
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7.1.2 Key Storage 

The number of asymmetric keys that are storable via a TPM SHOULD be limited only by the volume of 
storage available to the platform. 

The TPM SHALL ensure that the TCPA_PERSISTENT_FLAGS -> tmpProof field is only included on TPM 
internally generated non-migratable keys. The rationale is that the tmpProof field is confidential 
information and exposure of this information would lower the security of the system. 
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7.2 Mandatory Functions 
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7.2.1 TPM_Seal 




Type 

TPM function; user must provide authorization to use the key pointed to by keyHandle. 
Incoming Operands and Sizes 



PARAM 


HMAC 


Type 


Name 


Description 




SI 




SZ 




1 


2 






TCPAJAG 


lag 


TPM_TAG_RQU_AUTH1_COMMAND 


2 


4 






UINT32 


paramSize 


Total number of input bytes including paramSize and 

tag 


3 


4 


1s 


4 


TCPA_COMMAND_CODE 


ordinal 


Command ordinal, fixed value of TPM_ORD_Seal. 


4 


4 






TCPA_KEYHANDLE 


keyHandle 


Handle of a loaded key that can perform seal 
operations. 


5 


20 


2s 


20 


TCPA.ENCAUTH 


encAulh 


The encrypted authorization data for the sealed data. 
The encryption key is the shared secret from the OS- 
AP protocol. 


6 


4 


3s 


4 


UINT32 


pcrinfoSize 


The size of the pcrlnfo parameter. If 0 there are no 
PCR registers in use 
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7 


<> 


4s 


o 


TCPAJ'CRJNFO 


pcrlnfo ' 


The PGR selection information 


8 


4 


5s 


4 


UINT32 


inDataSize 


The size of the inData parameter 


9 


<> 


6s 


<> 


BYTE[) 


inData 


The data to be sealed to the platform and any specified 
PCRs ( 


10 


j 
4 






TPPA Al ITHHANDI F 


auth Handle • 


The authorization handle used for keyHandle 
authorization. Must be an OS_AP session for this 
command. 






2m 


20 


TCPA.NONCE 


authLastNonceEven 


Even nonce previously generated by TPM to cover 
inputs 


11 


.20 


3hi 


20 


TCPA.NONCE 


nonceOdd 


Nonce generated by system associated with 
authHandle 


12 


1 


4hi 


1 


BOOL 


continueAuthSession 


Ignored 


13 


20 






TCPA_AUTHDATA 


pubAuth 


The authorization digest for inputs and keyHandle, 
HMAC key: key.usageAuth. 


Outc 


|oing ( 


Operands and Sizes 


PARAM 


HMAC 


Type 


Name 


Description 


# 


SZ 


# ■ 


SZ 


I 1 


2 






TCPA^TAG 


tag 


TPM_TAG_RSP_AUTH1_COMMAND 


2 


4 






UINT32 


paramSize 


Total number of output bytes including paramSize and tag 


3 


4 


Is 


4 


TCPA_RESULT 


relurnCode 


The return code of the operation. See section 4.3. 






2s 


4 


TCPA„COMMAND_^CODE 


ordinal 


Command ordinal, fixed value of TPM.ORDSeal. 


4 


<> 


3s 


4 


TCPA.STORED^DATA 


sealedData 


Encrypted, integrity-protected data object that is the result 
of the TPIvLSeal operation. 


5 


20 


2 m 


20 


TCPA^NONCE 


nonceEven 


Even nonce newly generated by TPM to cover outputs 






3hi 


20 


TCPA^NONCE 


nonceOdd 


Nonce generated by system associated with authHandle 


6 


1 


4hi 


1 


BOOL 


continueAuthSession 


Continue use flag, fixed value of FALSE 


7 


20 






TCPA^AUTHDATA 


resAuth 


The authorization digest for the returned parameters. 
HMAC key: key.usageAuth. 



Descriptions 

The string used for XOR encryption of the command variable named encAuth SHALL be the digest 
created by concatenating the shared session secret with the even numbered hash (generated by the 
TPM) and hashing the concatenated value. 

TPM_Seal is used to encrypt private objects that can only be decrypted using TPM_Unseal. 
Actions 

1 . If the inDataSize is 0 the TPM returns TCPA_BAD_ PARAMETER 

2. If the keyUsage field of the key indicated by keyHandle does not have the value 
TPM_KEY_STORAGE, the TPM must return the error code TCPA_INVALID_KEYUSAGE. 

3. If the keyHandle points to a migratable key then the TPM MUST return the error code 
TCPA_INVALID_KEY_USAGE. 
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4. The TPM.Seal command MUST fill in a TPM_STORED_DATA structure. This structure includes a 
properly filled in and encrypted T C P A_ S E AL E D_ DATA structure. The encryption key for the 
operation is the key pointed to by the keyHandle parameter. 

5. The TPM MUST set the TPM_STORED_DATA -> ver to the current TPM version. 

6. Create an XOR-string by concatenating the shared session secret with the even numbered hash 
(generated by the TPM) and hashing the concatenated value. Generate the plaintext authorization 
data for the sealed data by XORing the XOR-string with the variable encAuth. 

7. Set continueAuthSession to FALSE. 

8. If the data is wrapped to PCR's then 

a. The TPM MUST check that the pcrlnfo parameter is a consistent 
TCPA_PCR_SELECTION structure. If not, the TPM MUST return the error code 
TCPA_ BAD I N D EX. 

b. The TPM MUST compute a1 by creating TCPA_COMPOSITE_HASH value using pcrlnfo 
-> pcrSelection as the input to the algorithm in 10.4.5. 

c. The TPM MUST set TPM_STORED_DATA -> seallnfo -> digestAtRelease to pcrlnfo -> 
digestAtRelease. 

d. The TPM MUST set TPM_STORED_DATA -> Seallnfo -> digestAtCreation to a1 

e. The TPM MUST set TPM_ STORED. DATA -> seallnfoSize to the size of the 
TCPA_PCR_INFO structure. \ 

9. Else 

a. The TPM MUST set TPM_STORED_DATA -> seallnfoSize to 0. 

10. The TPM provides no validation of the authorization data. Well known values like nulls are possible 
and allowed. 

11. The TPM must ensure that the PAYLOAD_TYPE byte of any sealed data is set to the proper value to 
ensure that all encrypted elements can be distinguished from each other. 
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7.2.2 TPM_Unseal 



Type 

TPM protected capability; the user must provide authorizations to use the parent key pointed to by 
parentHandle. 



PARAM 


HMAC 


Type 


/V3/7J6 


Descrioflon 




SZ 




SZ 


1 


2 






TCPA.TAG 


tag 


TPM_TAG_RQILAUTH2_C0MMAND 


2 


4 






U1NT32 


paramSize 


Total number of input byles including paramSize and 
tag 


3 


4 


1s 


4 


TCPA_COMMAND_CODE 


ordinal 


Command ordinal, fixed value of TPM_ORD_Unseal. 


4 


4 






TCPA_KEY_HANDLE 


parentHandle 


Handle of a loaded key that can unseal the data. 


5 


<> 


2s 


<> 


T CPA_ST 0RED_DATA 


inData 


The encrypted data generated by TPM_Seal. 


6 


4 






TCPA_AUTHHANDLE 


authHandle 


The authorization handle used for parentHandle. 






2 HI 


20 


TCPA.NONCE 


authLaslNonceEven 


Even nonce previously generated by TPM to cover 
inputs 


7 


20 


3 HI 


20 


TCPA_NONCE 


nonceOdd 


Nonce generated by system associated with 
authHandle 


8 


1 


4 m 


1 


BOOL 


continueAuthSession 


The continue use flag for the authorization handle 


9 


20 






TCPA.AUTHDATA 


parenlAuth 


The authorization digest for inputs and parentHandle. 
HMAC key: parentKey.usageAuth. 


10 


4 






TCPA.AUTHHANDLE 


dataAuthHandle 


The authorization handle used to authorize inData 






2H2 


20 


TCPA_NONCE 


dataLastNonceEven 


Even nonce previously generated by TPM 


11 


20 


3H2 


20 


TCPA_NONCE 


datanonceOdd 


Nonce generated by system associated with j 
entityAuthHandle 


12 


1 


4h2 


1 


BOOL 


continueDataSession 


Continue usage flag for dataAuthHandle. 


13 


20 






TCPA.AUTHDATA 


daiaAulh 


The authorization digest for the encrypted entity. HMAC 
key: entity. usageAuth. 
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Outgoing Operands and Sizes 



PARAM 


HMAC 


Type 


Name 


Description 


if 


C7 


ft 






4 

1 








T/^nA TAP 

ILPA_IA(3 


lag 


TPM_TAG_RSP_AUTH2_COMMAND 


2 








UINT32 


paramSize 


Tola! number of output bytes including paramSize and 
tag 


0 


T 


IS 


j 

T 


TCPA_RESULT 


returnCode 


The return code of the operation. See section 4.3. 








T 


I UrA_OUMMANU_UUUb 


ordinal 


Command ordinal, fixed value of TPM_ORD_Unseal. 


4 




3s 




I I1MTQ9 


sealedDataSize 


The used size of the output area for secret 


5 


o 


4s 


o 


BYTEJ] 


secret 


Decrypted data that had been sealed 


6 




2 HI 




TCPA_NONCE 


nonceEven 


Even nonce newly generated by TPM to cover outputs 








20 


TCPA_NONCE 


nonceOdd 


Nonce generated by system associated with authHandle 


7 


/ 


4hi 


1 


BOOL 


rrinllni to A i ithQoccirMi 


uonunue use tlag, TRUE rf handle is still active 


8 








TCPA_AUTHDATA 


resAuth | 


The authorization digest for the returned parameters. 
HMAC key: parentKey.usageAuth. 


9 




2H2 


20 


TCPA.NONCE 


dataNonceEven 


^Even nonce newly generated by TPM. 






3H2 


20 


TCPA_NONCE 


datanonceOdd 


Nonce generated by system associated with 
dataAuthHandle 


10 


/ 


4h2 


1 


BOOL 


conlinueDataSession 


Continue use flag, TRUE if handle is still active 


11 








TCPA.AUTHDATA 


dataAuth 


The authorization digest used for the dataAuth session. 
HMAC key: entity.usageAuth. 



Actions 

1. The TPM MUST validate that parentAuth authorizes the use of the key in parentHandle. On failure 
the TPM MUST return TCPA_AUTHFAIL. 

2. If the keyUsage field of the key indicated by parentHandle does not have the value 
TPM_KEY_ STORAGE, the TPM must return the error code TCPAJNVALID_KEYUSAGE. 

3. The TPM MUST check that the TCPA_KEY_FLAGS -> Migratable flag has the value FALSE in the 
key indicated by parentKeyHandle. If not, the TPM MUST return the error code 
TCPA_BAD_PARAMETER. 

4. The TPM MUST create d1 by decrypting inData using the key pointed to by parentHandle. inData is a 
TCPA_STORED_DATA structure and the encrypted area is pointed to by inData -> encData. 

5. The TPM MUST check the integrity of the d1. The integrity check establishes that the d1 is a 
consistent TPM_SEALED_DATA structure created with by a TPM_Sea! operation on the same TPM 
that is attempting the TPM_Unseal and that d1 has not been modified. 

a. The TPM MUST check that the d1 -> tpmProof matches TCPA_PERSISTENT_DATA -> 
tpmProof. 

b. The TPM MUST calculate hi by performing the same calculation that creates 
TPM_SEALED_DATA -> storedDigest. 

c. The TPM MUST validate that hi and d1 -> storedDigest match. 

d. The TPM MUST check the T C P A_ P A YLO AD_T Y P E value and ensure that it is not 
decrypting a key. 
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e If d1 fails the integrity checks, then the operation MUST return the error 
TCPA_NOTSEALED_BLOB. 

6 The TPM must validate the authorization to use d1. The TPM MUST validate the authorization in 
dataAuth matches the d1 -> authData parameter. The TPM MUST return TCPA_AUTHFAIL on a 
mismatch. 

7. If inData is wrapped to PCR's then, 

a. The TPM MUST ensure that the PCRs to which the blob was sealed are the same as the 
PCRs' values that exist at the time of TPM JJnseal. 

b. The TPM MUST validate that inData -> pcrlnfo is a valid TCPAJNFCLSTRUCTURE. 

c. The TPM will create hi by computing a composite hash using the inData -> pcrlnfo 
parameter as the input to the composite hashing algorithm (See 10.4.5). 

d. The TPM MUST compare hi with inData -> pcrlnfo -> digestAtRelease. On a mismatch 
the TPM MUST return TCPAJ/VRONGPCRVALUE. 

8. else 

a. The TPM does not need to check PCR configuration. 
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7.2.3 TSS Bind 
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7.2.4 TPM_UnBind 




Type ; 

TCPA protected capability; the user must provide authorization to use the key specified in the keyHandle 
parameter. 

incoming Operands and Sizes 



PARAM 


HMAC 


Type 


Name 


Description 


# 


SZ 


# 


SZ 


t 


2 






TCPA_TAG 


tag 


TPM_TAG_RQU_AUTH1_COMMAND 


2 


4 






UINT32 


paramSize 


Total number of input byles including paramSize and tag 


3 


4 


1s 


4 


TCPA_COMMAND_CODE 


ordinal 


Command ordinal, fixed value of TPM_ORDJJnBind. 

\ 


4 


4 






TCPA_KEY„HANDLE 


keyHandle 


The keyHandle identifier of a loaded key that can perform 
UnBind operations. 


5 


4 


2s 


4 


UINT32 


inDataSize 


The size of the input blob 


6 


<> 


3s 


<> 


BYTE[] 


inData 


Encrypted blob to be decrypted 


7 


4 






TCPA_AUTHHANDLE 


authHandle 


The handle used for keyHandle authorization 






2 m 


20 


TCPA^NONCE 


authLaslNonceEven 


Even nonce previously generated by TPM to cover inputs 


6 


20 


3 hi 


20 


TCPA^NONCE 


nonceOdd 


Nonce generated by system associated with authHandle 


9 


1 


4hi 


1 


BOOL 


continueAuthSession 


The continue use flag for the authorization handle 


10 


20 






TCPA_AUTHDATA 


privAuth 


The authorization digest that authorizes the inputs and 
use of keyHandle. HMAC key: key.usageAuth. 
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Outgoing Operands and Sizes 



PARAM 


HMAC 


TVD6 
Iff*? 


N3W6 


fla crrinf/nn 

LsGOitUfJUUii 


# 


SZ 


# 


SZ 




1 


2 






TCPAJTAG 


lag 


TPMJTAG_RSP_AUTH1_C0MMAND 


2 


4 






UINT32 


paramSize 


Total number of output bytes including paramSize and tag 


3 


4 


1s 


4 


TCPA.RESULT 


returnCode 


The return code of the operation. See section 4.3. 






2s 


4 


TCPA_COMMAN DECODE 


ordinal 


Command ordinal, fixed value of TPM_ORD_UnBind 


4 


4 


3s 


4 


UINT32 


outDataSize 


The length of the returned decrypted data 


5 


<> 


4s 


<> 


BYTE[] 


outData 


The resulting decrypted data. 


6 


20 


2 HI 


20 


TCPA_NONCE 


nonceEven 


Even nonce newly generated by TPM to cover outputs 






3 m 


20 


TCPA_NONCE 


nonceOdd 


Nonce generated by system associated with authHandle 


7 


1 


4 m 


1 


BOOL 


continueAuthSession 


Continue use flag, TRUE if handle is still active 


8 


20 






TCPA.AUTHDATA 


resAuth 


The authorization digest for the returned parameters. 
HMAC key: key.usageAuth. 



Description 
UnBind SHALL operate on a single block only. 
Actions 

The TPM SHALL perform the following: 

1. If the inDataSize is 0 the TPM returns TCPA_BAD_PARAMETER 
Validate the authorization to use the key pointed to by keyHandle 



2. 
3. 

4. 

5. 



If the keyUsage field of the key referenced by keyHandle does not have the value TPM_KEY_BIND 
or TPM_KEY_LEGACY, the TPM must return the error code TCPAJNVALID.KEYUSAGE 

Decrypt the inData using the key pointed to by keyHandle 

if (keyHandle -> encScheme does not equal TCPA_ES_RSAESOAEP_SHA1_MGF1) and 
(keyHandle -> keyUsage equals TPM_KEY_LEGACY), 

a. The payload does not have TCPA specific markers to validate, so no consistency check 
can be performed. 

b. Set the output parameter outData to the value of the decrypted value of inData. (Padding 
associated with the encryption wrapping of inData SHALL NOT be returned.) 

c. Set the output parameter outDataSize to the size of outData, as deduced from the 
decryption process. 



6. else 



d. Return the output parameters. 



a. Interpret the decrypted data under the assumption that it is a TCP A_BO U N D_ DATA 
structure, and validate that the payload type is TCPA_PT_BIND 

b. Set the output parameter outData to the value of TCPA_BOUND_DATA -> payloadData. 
(Other parameters of TCPA_BOUND_DATA SHALL NOT be returned. Padding 
associated with the encryption wrapping of inData SHALL NOT be returned.) 

c. Set the output parameter outDataSize to the size of outData, as deduced from the 
decryption process and the interpretation of TCPA_BOUND_DATA. 
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7.2.5 TPWLCreateWrapKey 




Type 

TCPA protected capability; the user must provide authorization to use the key indicated by parentHandle. 
Incoming Operands and Sizes 



PARAM 


HMAC 


Ti/np 
type 




Description 


# 


SZ 




SZ 


1 


2 






TCPAJTAG 


tag 


TPM_TAG_RQU_AUTH1_COMMAND 


2 


4 






UINT32 


paramSize 


Total number of input bytes including paramSize and 
tag 


3 


4 


1s 


4 


TCPA_COMMAND_CODE 


ordinal 


Command ordinal: TPM_ORD_CreateWrapKey 


4 


4 






TCPA_KEY_HANDLE 


parentHandle 


Handle of a loaded key that can perform key wrapping. 


5 


20 


2s 


20 


TCPA.ENCAUTH 


dataUsageAuth 


Encrypted usage authorization data for the sealed data. 


6 


20 


3s 


20 


TCPA_ENCAUTH 


dataMigralionAuth 


Encrypted migration authorization data for the sealed 
data 


7 


<> 


4s 


<> 


TCPA1KEY 


keylnfo 


Information about key to be created, pubkey.key Length 
and keylnfo.encDala elements are 0. 


8 


4 






TCPA_AUTHHANDLE 


authHandle 


The authorization handle used for parent key 
authorization. Must be an OS_AP session. 






2hi 


20 


TCPA_NONCE 


aulhLastNonceEven 


Even nonce previously generated by TPM to cover 
inputs 


9 


20 


3hi 


20 


TCPA_NONCE 


nonceOdd 


Nonce generated by system associated with 
authHandle 


10 


1 


4hi 


1 


BOOL 


continueAuthSession 


Ignored 


11 


20 






TCPA_AUTHDATA 


pubAuth 


The authorization digest that authorizes the use of the 
public key in parentHandle. HMAC key: 
parentKey.usageAuth. 
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Outgoing Operands and Sizes 



PARAM 


HMAC 


Tuna 

type 


Ndme 


Description 


# 


SZ 


# 


SZ 






1 s 


2 






TCPAJAG 


tag 


TPM_TAG_RSPJ\UTH1_COMMAND 


i. 


A 
▼ 






UINT32 


paramSize 


Total number of output bytes including paramSize and tag 


3 


4 


1s 


4 


TCPA.RESULT 


relurnCode 


The return code of the operation. See section 4.3. 






2s 


4 


TCPA_COMMAND_CODE 


ordinal 


Command ordinal: TPMJDRD_CreateWrapKey 


4 


<> 


4s 


<> 


TCPA_KEY 


wrappedKey 


The TCPA_KEY structure which includes the public and 
encrypted private key 


5 


20 


2 m 


20 


TCPA.NONCE 


nonceEven 


Even nonce newly generated by TPM to cover outputs 






3hi 


20 


TCPA_NONCE 


nonceOdd 


Nonce generated by system associated with authHandle 


6 


1 


4 hi 


1 


BOOL 


continueAulhSession 


Continue use flag, fixed at FALSE 


7 


20 






TCPA_AUTHDATA 


resAuth 


The authorization digest for the returned parameters. 
HMAC key: parentKey.usageAuth. 



Descriptions 

This command requires the encryption of two parameters. To create two XOR strings the caller corhbines 
the two nonces in use by the OSAP session with the session shared secret. 

DataUsageAuth is XOR'd with the SHA-1 hash of the concatenation of the OSAP session shared secret 
with the even numbered nonce generated by the TPM (authLastNonceEven). MigrationAuth is XOR'd with 
the SHA-1 hash of the concatenation of the OSAP session shared secret with the odd numbered nonce 
generated by the caller (nonceOdd). 

Actions 

The TPM SHALL do the following: 

1. Validate the authorization to use the key pointed to by parentHandle. Return TC P A_ AUT H FAI L on 
any error. 

2. Validate the session type for parentHandle is OS-AP. 

3. Verify that parentHandle->keyUsage equals TPM_KEY_STORAGE 

4. If parentHandle -> keyFlag -> migratable is TRUE and keyinfo -> keyFlag -> migratable is FALSE 
then return TCPAJNVALID_KEYUSAGE 

5. Validate key parameters 

a. keyinfo -> keyUsage MUST NOT be TPM_KEY_IDENTITY or 
TPM_KEY_AUTHCHANGE. If it is, return TCPA_BAD_PARAMETER. 

b. If keyinfo -> keyUsage equals TPM_KEY_STORAGE 

i. algorithmID MUST be TCPA_ALG_ R SA 

ii. encScheme MUST be TCPA_ES_RSAESOAEP_SHA1_MGF1 

iii. sigSchemeMUSTbeTCPA_SS_NONE 

iv. key size MUST be 2048 

6. Validate all keyinfo parameters, any errors return TCPA_BAD_PARAMETER 

7. Create the two XOR patterns by using the session key and the nonces for this transaction 
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8. Set continueAuthSession to FALSE 

9. Decrypt the DataUsageAulh and DataMigrationAuth parameters 

10. Generate asymmetric key according to algorithm information in keylnfo 

11. Fill in the wrappedKey structure with information from the newly generated key. 

a. Set the auth member of this structure to the decrypted values of DataUsageAuth. 

b. The TPM MUST set the wrappedKey -> ver to the current TPM version. 

c. If the KeyFlags -> migratable bit is set to 1, the wrappedKey -> encData -> migrationAuth 
SHALL contain the decrypted value from DataMigrationAuth. 

d. If the KeyFlags -> migratable bit is set to 0, and wrappedKey -> encData -> 
migrationAuth SHALL be set to the value tpmProof. 

12. Encrypt the private portions of the wrappedKey structure using the key in keyHandle 

13. Return the newly generated key in the wrappedKey parameter 



Version 1.1a 1 December 2001 



TCPA Main Specification Page 1 6 3 



7.2.6 TSS_WrapKey 




Actions 

The TSS SHOULD do the following: 

1 If the keyUsage field of PubKey does not have the value TPM_KEY_STORAGE, the TSS must return 
the error code TCPA_INVALID_KEYUSAGE 

2. Validate the TCPA_STORE_ASYMKEY structure 

3. Fill in the TCPA_STORE_ASYMKEY structure with the authorization and usage parameters 

4. Set KeyFlags.migratable to 1 

5. Set all other KeyFlags members to the values in KeyFlags parameter 

6. Set TCPA_STORE_ASYMKEY.pcrDigest to 20 bytes of value OxFF. 

7. Encrypt the TCPA_STORE_ASYMKEY structure using the pubkey parameter 

8. Return the entire TCPA_KEY structure 
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7.2.7 TSS_WrapKeyToPcr 




Actions 

The TSS SHOULD do the following: 

1. If the keyUsage field of PubKey does not have the value TPM_KEY_STORAGE, the TSS must return 
the error code TCPA_INVALID_KEYUSAGE 

2. Validate the TCPA_STORE_ASYMKEY structure 

3. Fill in the TCPA_STORE_ASYMKEY structure with the authorization and usage parameters 

4. Set KeyFIags.migratable to 1 

5. Set all other KeyFlags members to the values in KeyFlags parameter 

6. Set TCPA_STORE_ASYMKEY.pcrDigest to TargetPCRHash 

7. Encrypt the TCPA_STORE_ASYMKEY structure using the pubkey parameter 

8. Return the entire TCPA_KEY structure 
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7.2.8 TPM_LoadKey 

7a 




Type 

TCPA protected capability; user must provide authorization to use the parent key pointed to by 
parentHandle. 

Incoming Operands and Sizes 



PARAM 


HMAC 


Type 


Name 


Description 


# 


SZ 


# 


SZ 


1 


2 






TCPAJFAG 


tag 


T PM_T AG_RQILAUTH 1 _COMMAN D 


2 


4 






UINT32 


paramSize 


Total number of input bytes including paramSize and tag 


3 


4 


1s 


4 


TCPA_COMMANDC0DE 


ordinal 


Command ordinal, fixed value of TPM_ORD_LoadKey. 


4 


4 






TCPA_KEY_HANDLE 


parentHandle 


TPM handle of parent key. 


5 


<> 


2s 


<> 


TCPA_KEY 


inKey 


Incoming key structure, both encrypted private and clear 
public portions. 


6 


4 






TCPA_AUTHHANDLE 


aulhHandle 


The authorization handle used for parentHandle 
authorization. 






2 HI 


20 


TCPA^NONCE 


auihLaslNonceEven 


Even nonce previously generated by TPM to cover inputs 
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7 


20 


3 m 


20 


TCPA_NONCE 


nonceOdd 


Nonce generated by system associated with authHandle 


6 


1 


4 m 


1 


BOOL 


conlinueAuthSession 


The continue use flag for the authorization handle 


9 


20 






TCPA.AUTHDATA 


parentAulh 


The authorization digest for inputs and parentHandie. 
HMAC key: parentKey.usageAuth. 


Outgoing Operands and Sizes 


PARAM 


HMAC 


Type 


Name 


Description 


# 


SZ 


# 


SZ 


1 


2 






TCPAJTAG 


tag 


TPMJTAG_RSP_AUTH1_COMMAND 


2 


4 






UINT32 


paramSize 


Total number of output bytes including paramSize and tag 


3 


4 


.!» 


4 


TCPA_RESULT 


returnCode 


The return code of the operation. See section 4.3. 






2s 


4 


TCPA„COMMAND_CODE 


ordinal 


Command ordinal: TPM_ORD_LoadKey 


4 


4 


3s 


4 


TCPA_KEY_HANDLE 


inkeyHandle 


Internal TPM handle where decrypted key was loaded. 


5 


20 


2 HI 


20 


TCPA_NONCE 


nonceEven 


Even nonce newly generated by TPM to cover outputs 






3hi 


20 


TCPA_NONCE 


nonceOdd 


Nonce generated by system associated with authHandle 


6 


1 


4 hi 


i 


BOOL 


conlinueAuthSession 


Continue use flag, TRUE if handle is still active 


7 


20 






TCPA„AUTHDATA 


resAuth 


The authorization digest for the returned parameters. 
HMAC key: parentKey.usageAuth. 



Actions 

The TPM SHALL perform the following steps: 

1. Validate, the authorization to use the key in parentHandie 



2. If the keyUsage field of the key referenced by parent handle does not have the value 
TPM_KEY_STORAGE, the TPM must return the error code TCPA_INVALID_KEYUSAGE 

3. Decrypt the inKey -> privkey to obtain TCPA_STORE_ASYMKEY structure using the key in 
parentHandie 

4. Validate the integrity of inKey and decrypted TCPA_STORE_ASYMKEY 

a. Reproduce inKey -> TCPA_STORE_ASYMKEY -> pubDataDigest using the fields of 
inKey, and check that the reproduced value is the same as pubDataDigest 

5. Validate the consistency of the key and it's key usage. 

a. If inKey -> keyFlags -> migratable is TRUE, the TPM SHALL verify consistency of the 
public and private components of the asymmetric key pair. If inKey -> keyFlags -> 
migratable is FALSE, the TPM MAY verify consistency of the public and private 
components of the asymmetric key pair. The consistency of an RSA key pair MAY be 
verified by dividing the supposed (P*Q) product by a supposed prime and checking that 
there is no remainder.. 

b. If inKey -> keyUsage is TPM_KEYJDENTITY, verify that inKey->keyF!ags->migratable is 
FALSE. If it is not, return TCPA_BAD_PARAMETER 

c. If inKey -> keyUsage is TPM_KEY_AUTHCHANGE, return TCPA_BAD_PARAMETER 

d. If inKey -> keyFlags -> migratable equals 0 then verify that TCPA_STORE_ASYMKEY -> 
migration equals TCPA_PERSISTENT_DATA -> tpmProof 

e. Validate the mix of encryption and signature schemes according to section 4.10.1 
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f. If inKey -> keyUsage is TPM_KEY_STORAGE 

i. algorithmID MUST be TC P A_ ALG_ R S A 

ii. Key size MUST be 2048 

iii. sigScheme MUST be TCPA_SS_NONE 

g. If inKey > keyUsage is TPM_KEY_IDENTITY 

i. algorithmID MUST be TC P A_ALG_ R S A 

ii. Key size MUST be 2048 

iii. encScheme MUST be TCPA_ES_NONE 

h. If the decrypted InKey ->pcrlnfo is not NULL, 

i. The TPM validates that inKey -> pcrlnfo -> pcrSelection points to at least one 
PCR register. If no PCR registers are selected the TPM MUST NOT perform any 
further checks regarding PCR registers with the loaded key. 

ii. The TPM MUST store the list of active PCR registers in a manner that allows the 
TPM to access this list whenever the loaded key is used for any function. 

iii. Every time before the ioaded key is used, the inkey -> PCRInfo structure from 
TPM_LoadKey MUST be used to verify that the current PCR state is correct. The 
TPM MUST ensure that the PCRs to which the key was sealed are the same as 
the PCRs* values that exist at the time of key usage. To do this, the TPM will 
compute a TCPA_COMPOSITE_HASH value using the inkey -> pcrlnfo -> 
pcrSelection -> pcrSelect parameter as the input to the composite hashing 
algorithm (See 10.4.5). 

iv. If the resulting composite hash matches the inkey -> PCRInfo -> digestAtRelease 
parameter, the TPM is permitted to use the key. Otherwise, if the composite 
hashes do not match, the TPM is NOT permitted to use the key in the current 
PCR state, and the TPM MUST return TCPA_WRONGPCRVAL. 

L If the decrypted inKey -> pcrlnfo is NULL, 

i. The TPM MUST set the internal indicator to indicate that the key is not using any 
PCR registers. 

Perform any processing necessary to make TCPA_STORE_ASYMKEY key available for operations 

Load key and key information into internal memory of the TPM. If insufficient memory exists return 
error TCPA_NOSPACE. 

8. Assign inKeyHandle according to internal TPM rules. 

9. Set InKeyHandle -> parentPCRStatus to parentHandle -> parentPCRStatus. 

10. If ParentHandle indicates it is using PCR registers then set inKeyHandle -> parentPCRStatus to 
TRUE. The TPM creates an indicator of PCR usage in step S.h.ii above. This indicator is internal to 
the TPM but MUST accurately reflect the sealing of a key to a PCR register. 
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7.2.9 TPM_EvictKey 



Type 

TPM command. Non-authorized. 
Incoming Operands and Sizes 



PARAM 


HMAC 


Type 


Name 


Description 


§ 


SZ 




SZ 




1 


2 






TCPA_TAG 


tag 


TPM_TAG_RQU_COMMAND 


2 


4 






U1NT32 


paramSize 


Total number of input bytes including paramSize and tag 


3 


4 






TCPA_COMMAND_CODE 


ordinal 


Command ordinal, fixed value of TPM_ORD_EvictKey 


4 


4 






TCPA_KEY_HANDLE 


evictHandle 


The handle of the key to be evicted. 


Outgoing Operands and Sizes 


PARAM 


HMAC 


Type 


Name 


Description 


# 


SZ 




SZ 




.1 


2 






TCPA.TAG 


tag 


TPM_TAG_RSP_COMMAND 


2 


4 






UINT32 


paramSize 


Total number of output bytes including paramSize and lag 


3 


4 






TCPA^RESULT 


returnCode 


The return code of the operation. See section 4.3. 



Actions 

The TPM will invalidate the key stored in the specified handle and return the space to the available 
internal pool for subsequent query by TPM_GetCapability and usage by TPM_LoadKey. If the specified 
key handle does not correspond to a valid key, an error will be returned. 
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7.2.10 TPM_GetPubKey 



Type 



TCPA protected capability; user must provide authorization to use the key pointed to by keyHandle. 
Incoming Operands and Sizes 



PARAM 


HMAC 


Type 


Name 


Description 


# 


SZ 




SZ 




1 


2 






TCPA.TAG 


tag 


TPM_TAG_RQU_AUTH1_C0MMAND 


2 


4 






UINT32 


paramSize 


Total number of input bytes induding paramSize and tag 


3 


4 


1s 


4 


TCPA_C0MMAND_C0DE 


ordinal 


Command ordinal, fixed value of TPM_ORD_GelPubKey. 


4 


4 






TCPA_KEY__HANDLE 


keyHandle 


TPM handle of key. 


5 


4 






TCPA_AUTHHANDLE 


aulhHandle 


The authorization handle used for keyHandle 
authorization. *\. 






2hi 


20 


TCPA_N0NCE 


aulhLastNonceEven 


Even nonce previously generated by TPM to cover inputs 


6 


20 


3 HI 


20 


TCPA_N0NCE 


nonceOdd 


Nonce generated by system assodated with authHandle 


7 


f 


4hi 


1 


BOOL 


continueAuth Session 


The continue use flag for the authorization handle 


8 


20 






TCPA_AUTHDATA 


keyAuth 


The authorization digest for inputs and keyHandle. HMAC 
key: key.usageAuth. 


Outgoing Operands and Sizes 


PARAM 


HMAC 


Type 


Name 


Description 


# 


SZ 


# 


SZ 


1 


2 






TCPA_TAG 


tag 


TPM_JAG_RSP_AUTH1_C0MMAND 


2 


4 






UINT32 


paramSize 


Total number of output bytes induding paramSize and tag 


3 


4 


1s 


4 


TCPA.RESULT 


returnCode 


The return code of the operation. See section 4.3. 






2s 


4 


TCPA_COMMAND_CODE 


ordinal 


Command ordinal, fixed value of TPM_0RDJ3etPubKey. 


4 


<> 


3s 


<> 


TCPA_PUBKEY 


pubKey 


Public portion of key in keyHandle. 


5 


20 


2 HI 


20 


TCPA.NONCE 


nonceEven 


Even nonce newly generated by TPM to cover outputs 






3 m 


20 


TCPA^NONCE 


nonceOdd 


Nonce generated by system assodated with authHandle 


6 


1 


4hi 


1 


BOOL 


continueAuthSession 


Continue use flag, TRUE if handle is still active 


7 


20 






TCPA_AUTHDATA 


resAuth 


The authorization digest for the returned parameters. 
HMAC key: key.usageAuth. 



Actions 

The TPM SHALL perform the following steps: 

1. Validate the authorization to use the key in keyHandle 

2. Create a TCPA_PUBKEY structure and return 



Version 1.1a 1 December 2001 



TCPA Main Specification 



Page 170 



7.2.11 TPWLCreateMigrationBlob 



MM 



Type 

TCPA protected capability; user must provide authorizations for the entity pointed to by parentHandle and 
inData. 

incoming Operands and Sizes 



PARAM 


HMAC 


Type 


Name 


Description 


# 


SZ 


if 






1 


2 






TCPAJTAG 


tag 


TPM_TAG_RQU_AUTH2_COMMAND 


2 


4 






UINT32 


paramSize 


Total number of input bytes including paramSize and 

tag 


3 


4 


Is 




TCPA_COMMAND_CODE 


ordinal 


Command ordinal: TPM_ORD_CreateMigralionBlob 


4 


4 






TCPA_KEY_HANDLE 


parentHandle 


Handle of the parent key that can decrypt encData. 


5 


2 


2s 


2 


TCPA_MIGRATE_SCHEME 


migrationType 


The migration type, either MIGRATE or REWRAP 


6 


<> 


3s 


<> 


TCPAJvllGRATIONKEYAUTH 


migrationKeyAuth 


Migration public key and its authorization digest 


7 


4 


4s 


4 


UINT32 


encDataSize 


The size of the encData parameter 


8 


<> 


5s 


<> 


BYTE!) 


encData 


The encrypted entity that is to be modified. 


9 


4 






TCPA.AUTHHANDLE 


parentAuthHandle 


The authorization handle used for the parent key. 






2hi 


20 


TCPA.NONCE 


authLastNonceEven 


Even nonce previously generated by TPM to cover 
inputs 


10 


20 


3 m 


20 


TCPA.NONCE 


nonceOdd 


Nonce generated by system associated with 
parentAuthHandle 


11 


1 


4hi 


1 


BOOL 


continueAulhSession 


Continue use flag for parent session 


12 


20 




20 


TCPA_AUTHDATA 


parenlAuth 


The authorization digest for inputs and 
parentHandle. HMAC key: parentKey.usageAuth. 
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13 


4 






TCPA.AUTHHANDLE 


entilyAuthHandle 


The authorization handle used for the encrypted 
entity. 






2H2 


20 


TCPAJJONCE 


entitylastNonceEven 


Even nonce previously generated by TPM 


14 


20 


3H2 


20 


TCPA_NONCE 


entitynonceOdd 


Monce generated by system associated-with 
entityAuthHandle 


15 


1 


' 4H2 


1 


BOOL 


conlinueEntitySession 


Continue use flag for entity session 


16 


20 






TCPA_AUTHDATA 


entityAuth 


The authorization digest for the inputs and encrypted 
entity. HMAC key: entity.migrationAuth. 


Outg 


oingC 


)perand 


sand 


Sizes 


PARAM 


HMAC 




Name 


Description 


* 


SZ 


# 


SZ 


1 


2 






TCPAJTAG 


tag 


TPM_TAGJ^SP_AUTH2_COMMAND 


2 


4 






UINT32 


pdl dlllolZfc; 


Total number of output bytes Including paramSize 
and tag 


3 


4 


1s 


4 


TCPA_RESULT 


returnCode 


The return code of the operation. See section 4.3. 






2s 


4 


TCPA_COMMAND_CODE 


ordinal 


Command ordinal: TPMJDRD_CrealeMigrationBlob 


4 


4 


3s 


4 


UINT32 


ranooiTtoizc 


The used size of the output area for random 


5 


<> 


4s 


<> 


BYTEj ] 


random 


String used for xor encryption 


6 


4 


5s 


4 


UINT32 


outDataSize 


The used size of the output area for outData 


7 


<> 


6s 


<> 


BYTE[] 


oulDala 


The modified, encrypted entity. 


8 


20 


3 HI 


20 


TCPA.NONCE 


nonceEven 


Even nonce newly generated by TPM to cover 
outputs 






4 m 


20 


TCPA_NONCE 


nonceOdd 


Nonce generated by system associated with 
parentAuthHandle 


9 


1 


5hi 


1 


BOOL 


conlinueAuthSession 


Continue use flag for parent key session 


10 


20 




20 


TCPA.AUTHDATA 


resAuth 


The authorization digest for the returned parameters 
and parenlHandle. HMAC key: 
parentKey.usageAuth. 


11 


20 


3H2 


20 


TCPA^NONCE 


entityNonceEven 


Even nonce newly generated by TPM to cover entity 






4H2 


20 


TCPA^NONCE 


entitynonceOdd 


Nonce generated by system associated with 
entityAuthHandle 


12 


1 


5H2 


1 


BOOL 


entityContinueAuthSessio 
n 


Continue use flag for entity session 


13 


20 






TCPAJUJTHDATA 


entityAuth 


The authorization digest for the returned parameters 
and entity. HMAC key: entity .migrationAuth. 



Description 

The key that wraps the migration key MUST be a 2048 bit RSA key or higher. 

The TPM does not check the PCR values when migrating values locked to a PCR. 

The second authorisation session (using entityAuth) MUST be OlAP because OSAP does not have 

suitable entityType 

Actions 
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1. Validate that parentAuth authorizes the use of the key pointed to by parentHandle. 

2. Create d1 by decrypting encData using the key pointed to by parentHandle. 

3. Validate that entityAuth authorizes the migration of d1. The validation MUST use d1 -> migrationAuth 
as the secret. 

4. Verify that the digest within migrationKeyAuth is legal for this TPM and public key 

5. If migrationType « TCPA_MS_MIGRATE the TPM SHALL perform the following actions: 

a. Build a TCPA_STORE_PRIVKEY structure from the d1 key. This privKey element should be 
132 bytes long for a 2K RSA key. 

b. Create k1 and k2 by splitting the privKey element created in step a into 2 parts. k1 is the first 
20 bytes of privKey, k2 contains the remainder of privKey. 

c. Build m by filling in the usageAuth and pubDataDigest fields within a 
TCPA_MIGRATE_ASYMKEY structure using data from the d1 key. The privKey field should 
be set to k2 (step g) and payload should be set to TCPA_PT_MIGRATE. 

d. Create o1 (which SHALL be 198 bytes for a 2048 bit RSA key) by performing the OAEP 
encoding of m using OAEP parameters of 

i. m = TCPA_MIGRATE_ASYMKEY structure (step c) 

ii. pHash ~ d1->migrationAuth 

iii. seed = s1 = k1 (step g) 

e. Create r1 a random value from the TPM RNG. The size of r1 MUST be the size of o1. Return 
r1 in the Random parameter. 

f. Create x1 by XOR of o1 with r1 

g. Copy r1 into the output field "random". 

h. Encrypt x1 with the migration public key included in migrationKeyAuth. 

6. If migrationType == TCPA_MS_REWRAP the TPM SHALL perform the following actions: 

a. Rewrap the key using the public key in migrationKeyAuth, keeping the existing contents of 
that key. 

b. If randomSize is 0 the TPM returns TCPA_BAD_ PARAMETER. 
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7.2.12 TPM_ConvertMigrationBlob 



£«g&3fe&i&? i7$t£ iatsiiifsfe il'^' site r?© Sifei^ii^f ifeii&sstoj 



Type 

TCPA protected capability; user must provide authorization to use the key in parentHandle 
Incoming Operands and Sizes 



PARAM 


HMAC 


Type 


Name 


Description 


#. 






SZ 


1 








TCPAJTAG 


tag 


T PM_TAG_RQU_AUTH 1 _COMMAN D 


2 








UINT32 


paramSize 


Total number of input bytes induding paramSize and tag 


3 


4 


1s 


4 


TCPA_COMMAND_CODE 


ordinal 


Command ordinal: TPM_ORD_ConvertMigrationBtob. 


4 


4 






TCPA_KEY_HANDLE 


parentHandle 


Handle of a loaded key that can decrypt keys. 


5 


4 


2s 


4 


UINT32 


inDataSize 


Size of inData 


6 


<> 


3s 


<> 


BYTE [ ] 


inData 


The XOR'd and encrypted key 


7 


4 


4s 


4 


UINT32 


randomSize 


Size of random 


8 


<> 


5s 


<> 


BYTE [] 


random 


Random value used to hide key data. 


9 


4 






T CPA_AUTHHANDLE 


authHandle 


The authorization handle used for keyHandle. 






2hi 


20 


TCPA.NONCE 


authLastNonceEven 


Even nonce previously generated by TPM to cover 
inputs 


10 


20 


3hi 


20 


TCPA_NONCE 


nonceOdd 


Nonce generated by system associated with authHandle 


11 


/ 


4 m 


1 


BOOL 


continueAuthSession 


The continue use flag for the authorization handle 


12 


20 






T CPA_AUTHDATA 


parentAuth - 


The authorization digest that authorizes the inputs and 
the migration of the key in parentHandle. HMAC key: 
parentKey.usageAuth 


Outgoing Operands and Sizes 


PARAM 


HMAC 


Type \ 


Name 


Description 


# 


SZ 


# 


SZ 


1 ; 


2 






TCPA_TAG 


tag 


TPM_TAG_RSPJUJTH1 .COMMAND 


2 


4 






UINT32 


paramSize 


Total number of output bytes induding paramSize and tag 


3 


4 


1s 


4 


TCPA_RESULT 


returnCode 


The return code of the operation. See section 4.3. 






2s 


4 


TCPA_COMMAND_CODE 


ordinal 


Command ordinal: TPM_ORD_ConvertMigrationBlob 


4 


4 


3s 


4 


UINT32 


outDalaSize 


The used size of the output area for outData 
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5 


o 


4s 


o 


BYTE[) 


outData 


The encrypted private key that can be loaded with 
TPMJ-oadKey 


6 


20 


2m 


20 


TCPA_NONCE 


nonceEven 


Even nonce newly generated by TPM to cover outputs 






3hi 


20 


TCPA.NONCE 


nonceOdd 


Nonce generated by system associated with aulhHandle 


7 


1 


4hi 


1 


BOOL 


continueAuthSession 


Continue use flag, TRUE if handle is still active 


8 


20 






TCPA_AUTHDATA 


resAuth 


The authorization digest for the returned parameters. 
HMAC key: parentKey.usageAuth 



Action 

The TPM SHALL perform the following: 

1. Validate the authorization to use the key in parentHandle 

2. If, the keyUsage field of the key referenced by parentHandle does not have the value 
TPM_KEY_ STORAGE, the TPM must return the error code TCPAJNVALID_KEYUSAGE 

3. Create dl by decrypting the inData area using the key in parentHandle 

4. Create o1 by XOR d1 and random parameter 

5. Create ml, seed and pHash by OAEP decoding o1 

6. Verify that the payload type is TCPA_PT_MIGRATE 

7. Create k1 by combining seed and the TCPA_MIGRATE_ASYMKEY.data field 

8. Create d2 a TCPA_STORE_ASYMKEY structure by inserting pHash as the migration authorization 
field. Set the TCPA_STORE_ASYMKEY -> privKey field to k1 

9. Create outData using the key in parentHandle to perform the encryption 
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7.2.13 TP M_AuthorizeMigration Key 



mmmmmmm ■ mmm i i i 



Type 

TCPA protected capability; user must provide authorization from the TPM Owner 
Incoming Operands and Sizes 



PARAM 


HMAC 


Type 




Name 


Description 


# 


SZ 


# 


SZ 






1 


2 






TCPAJTAG 


tag 


TPM_TAG_RQU_AUTH"LCOMMAND 


2 


4 






UINT32 


paramSize 


Total number of input bytes including paramSize and tag 


3 


4 


1s 


4 


TCPA.COMMANDCODE 


ordinal 


Command ordinal, fixed at 
TPM_ORD_AuthorizeMigrationKey 


4 


2 


2s 


2 


TCPA_MIGRATE_SCHEME 


migrateScheme 


Type of migration operation that is to be permitted for 
this key. 


4 


<> 


3s 


<> 


TCPA_PUBKEY 


migrationKey 


The public key to be authorized. 


5 


4 






TCPA_AUTHHANDLE 


authHandle 


The authorization handle used for owner authorization. 






2 HI 


20 


TCPA_NONCE 


auihLastNonceEven 


Even nonce previously generated by TPM to cover 
inputs 


6 


20 


3 HI 


20 


TCPA.NONCE 


nonceOdd 


Nonce generated by system associated with authHandle 


7 


1 


4hi 


1 


BOOL 


conlinueAuthSession 


The continue use flag for the authorization handle 


8 


20 






TCPA_AUTHDATA 


ownerAuth 


The authorization digest for inputs and owner 
authorization. HMAC key: ownerAuth. 


Outgoing Operands and Sizes 


PARAM 


HMAC 


Type 


Name 




Description 


# 


SZ 




SZ 






1 


2 






TCPAJTAG 


tag 


TPM_TAG_RSP_AUTH1_COMMAND 


2 


4 






UINT32 


paramSize 


Total number of output bytes including paramSize and 
tag 


3 


4 


1s 


4 


TCPA.RESULT 


returnCode 


The return code of the operation. See section 4.3. 






2s 


4 


TCPA_COMMAND_CODE 


ordinal 


Command ordinal, fixed at 
TPMJ3RD_AuthorizeMigrationKey 


4 


<> 


3s 


<> 


TCPA.MIGRATIONKEYAUTH 


outData 


Returned public key and authorization digest. 


5 


20 


2 m 


20 


TCPA.NONCE 


nonceEven 


Even nonce newly generated by TPM to cover outputs 






3 m 


20 


TCPA_NONCE 


nonceOdd 


Nonce generated by system associated with 
authHandle 


6 


1 


4hi 


1 


BOOL 


continueAulhSession 


Continue use flag, TRUE if handle is still active ! 
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7 


20 






TCPA_AUTHDATA 


resAuth 


The authorization digest for the returned parameters. ! 












HMAC key: ownerAuth. 



Action 

The TPM SHALL perform the following: 

1 . Validate the authorization to use the TPM by the TPM Owner 

2. Create a f1 a TCPA_MIGRATIONKEYAUTH structure 

3. Set f1 -> migrationKey to the input migrationKey 

4. Set f1 -> migrationScheme to the input migrationScheme 

5. Create v1 by concatenating (migrationKey || migrationScheme || TCPA_PERSISTENT_DATA -> 
tpmProof) 

6. Create hi by performing a SHA1 hash of v1 

7. Set f 1 -> digest to hi 

8. Return f 1 as outData 
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Any migration of non-migratory data protected by a Subsystem SHALL require the cooperation of both the 
Owner of that non-migratory data and the manufacturer of that Subsystem. That manufacturer SHALL 
NOT cooperate in a maintenance process unless the manufacturer is satisfied that non-migratory data will 
exist in exactly one Subsystem. A TPM SHALL NOT provide capabilities that support migration of non- 
migratory data unless those capabilities are described in the TCPA specification. 

The maintenance feature MUST move the following 

• TCPA_KEY for SRK. The maintenance process will reset the SRK authorization to match the TPM 
Owners authorization 

• TCPA_PERSISTENT_DATA -> tpmProof 

• TPM Owners authorization 
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7.3.1 TPM_CreateMaintenanceArchive 




Type 

Optional; TCPA protected capability; user must provide authentication from the TPM Owner. 
Incoming Operands and Sizes 



PARAM 


HMAC 


Type 


Name 


Description 


$ 


sz 




SZ 


1 


2 






TCPA_TAG 


tag 


TPM.TAG.RQU^AUTHI .COMMAND 


2 


4 






UINT32 


paramSize 


Total number of input bytes including paramSize and tag 


3 


4 


1s 


4 


TCPA_COMMAND_CODE 


ordinal 


Cmd ordinal: TPM_ORD_CreateMainlenanceAr chive 


4 


1 


2s 


1 


BOOL 


generaleRandom 


Use RNG or Owner auth to generate 'random'. 


5 


4 






7CPA_AUTHHANDLE 


aulhHandle 


The authorization handle used tor owner authorization. 






2 m 


20 


7CPA_NONCE 


authLastNonceEven 


Even nonce previously generated by TPM to cover inputs 


6 


20 


3hi 


20 


7CPA_NONCE 


nonceOdd 


Nonce generated by system associated with authHandle 


7 


1 


A H1 


1 


BOOL 


conlinueAulhSession 


The continue use flag for the authorization handle 


8 


20 






TCPA_AUTHDATA 


ownerAuth 


The authorization digest for inputs and owner 
authorization. HMAC key: ownerAuth. 


Outgoing Operands and Sizes 


PARAM 


HMAC 


Type 


Name 


Description 


# 


SZ 


a 


SZ 


1 


2 






TCPA. TAG 


tag 


TPM_TAG_RSP_AUTH1_ COMMAND 


2 


4 






UINT32 


paramSize 


Total number of output bytes including paramSize and tag 


3 


4 


1s 


4 


TCPA_RESULT 


returnCode 


The return code of the operation. See section 4.3. 






2s 


4 


TCPA_COMMAND_CODE 


ordinal 


Cmd ordinal: TPM_ORD_CreateMaintenanceArchive 


4 


4 


3s 


4 


UJNT32 


randomSize 


Size of the returned random data. Will be 0 if 
generateRandom is FALSE. 


5 


<> 


4s 


o 


BYTE | ] 


random 


Random data to XOR with result. 


6 


4 


5s 


'4 


UINT32 


archiveSize 


Size of the encrypted archive 


7 


<> 


6s 


<> 


BYTE | ) 


archive 


Encrypted key archive. 


8 


20 


2 m 


20 


TCPA. NONCE 


nonceEven 


Even nonce newly generated by TPM to cover outputs 






3 HI 


20 


TCPA_ NONCE 


nonceOdd 


Nonce generated by system associated with authHandle 


9 


1 


4 m 


1 


BOOL 


continueAuthSession 


Continue use flag, TRUE if handle is still active 


10 


20 






TCPA.AUTHDATA 


resAulh 


The authorization digest tor the returned parameters. 
HMAC key: ownerAuth. 
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Actions 

Upon authorization being confirmed this command does the following: 

1. Validates that the TCPA_PERSlSTENT_ FLAGS -> AilowMaintenance is TRUE. 

2. Validates the JPM I Owner authorization. 

3. If the value of TCPA_PERSISTENT_DATA -> ManuMaintPub is zero, the TPM MUST return the error 
code TCPA_KEYNOTFOUND 

4. Build a1 a TCPA_KEY structure using the SRK. The encData field is not a normal 
TCPA_STORE_ASYMKEY structure but rather a TCPA_MIGRATE_ASYMKEY structure built using 
the following actions. 

5. Build a TCPA_STORE_PRIVKEY structure from the SRK. This privKey element should be 132 bytes 
long for a 2K RSA key. 

6. Create k1 and k2 by splitting the privKey element created in step 4 into 2 parts. k1 is the first 20 bytes 
of privKey, k2 contains the remainder of privKey. 

7. Build ml by creating and filling in a TCPA_MIGRATE_ASYMKEY structure 

a. ml -> usageAuth is set to TGPA_PERSISTENT_ FIELDS -> tmpProof 

b. ml -> pubDataDigest is set to the digest value of the SRK fields from step 4 

c. ml -> payload is set to TCPA_PT_MAINT 

d. ml -> partPrivKey is set to k2 

8. Creale o1 (which SHALL be 198 byles for a 2048 bit RSA key) by performing the OAEP encoding of 
m using OAEP parameters of 

a. m = TCPA_MIGRAT E_ ASYMKEY structure (step 7) 

b. P = TCPA_PERSISTENT_ FIELDS -> ownerAuth 

c. seed = s1 = k1 (step 6) 

9. If GenerateRandom = TRUE 

a. Create r1 by obtaining values from the TPM RNG. The size of r1 MUST be the same size 
as o1. Set RandomData parameter to r1 

10. If GenerateRandom = FALSE 

a. Create r1 by applying MGF1 to the TPM Owner authorization data. The size of r1 MUST 
be the same size as o1 . Set RandomData parameter to null. 

11. Create x1 by XOR of o1 with r1 

12. Encrypt x1 with the ManuMaintPub key using the TCPA_ES_RSAESOAEP_SHA1_MGF1 encryption 
scheme. 

13. Set a1 -> encData to x1 

14. Return a1 in the archive parameter 
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7.3.2 TPM_Load Maintenance Archive 




Optional; TCPA protected capability; user must provide authentication from the TPM Owner. 
Incoming Operands and Sizes 



PARAM 


HMAC 


Type 


Name 


Description 


# 


sz 




SZ 




1 


2 






TCPA_TAG 


tag 


TPM_TAG_RQUJ\UTH1_C0MMAND 


2 


4 






UINT32 


paramSize 


Total number of input bytes including paramSize and tag 


3 


4 


1 


4 


TCPA_COMMAND_CODE 


ordinal 


Command ordinal: TPM_ORD_LoadMaintenanceArchive 














Vendor specific arguments 




4 






TCPA.AUTHHANDLE 


auihHandle 


The authorization handle used for owner authorization. 








20 


TCPA_NONCE 


aulhLastNonceEven 


Even nonce previously generated by TPM to cover inputs 




20 




20 


TCPA. NONCE 


nonceOdd 


Nonce generated by system associated with authHandle 




1 




/ 


BOOL 


continueAuthSession 


The continue use flag for the authorization handle 




20 






TCPA.AUTHDATA 


ownerAuth 


The authorization digest for inputs and owner 
authorization. HMAC key: ownerAuth. 


Outgoing Operands and Sizes 


PARAM 


HMAC 


Type 


Name 


Description 


# 


SZ 


# 


SZ 


1 


2 






TCPA_TAG 


tag 


TPM_TAG_RSP_AUTH1_COMMAND 


2 


4 






UINT32 


paramSize 


Total number of output bytes including paramSize and tag 


S 


4 


1 


4 


TCPA_RESULT 


returnCode 


The return code of the operation. See section 4.3. 






2 




TCPA^COMMAND.CODE 


ordinal 


Command ordinal: TPM_ORD_LoadMainlenanceArchive 














Vendor specific arguments 




20 




20 


TCPA_NONCE 


nonceEven 


Even nonce newly generated by TPM lo cover outputs 








20 


TCPA. NONCE 


nonceOdd 


Nonce generated by system associated with authHandle 




1 




1 


BOOL 


continueAulhSession 


Continue use flag, TRUE if handle is still active 




20 






TCPA.AUTHDATA 


resAuth 


The authorization digest for the returned parameters. 
HMAC key: ownerAuth. 



Descriptions 

The maintenance mechanisms in the TPM MUST not require the TPM to hold a global secret. The 
definition of global secret is a secret value shared by more than one TPM. 
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The TPME is not allowed to pre-slore or use unique identifiers in the TPM for the purpose of 
maintenance. The TPM MUST NOT use the endorsement key for identification or encryption in the 
maintenance process. The maintenance process MAY use a TPM Identity to deliver maintenance 
information to specific TPM's. 

The maintenance process can only change the SRK, tpmProof and TPM Owner authorization fields. 

The maintenance process can only access data in shielded locations where this data is necessary to 
validate the TPM Owner, validate the TPME and manipulate the blob 

The TPM MUST be conformant to the TCPA specification, protection profiles and security targets after 
maintenance. The maintenance MAY NOT decrease the security values from the original security target. 

The security target used to evaluate this TPM MUST include this command in the TOE. 

Actions 

The TPM SHALL perform the following when executing the command 

1. Validate the TPM Owner's authorization 

2. Validate that the maintenance information was sent by the TPME. The validation mechanism MUST 
use a strength of function that is at least the same strength of function as a digital signature 
performed using a 2048 bit RSA key. 

3. The packet MUST contain rn2 as defined in 7.3.1 

4. Ensure that only the target TPM can interpret the maintenance packet. The protection mechanism 
MUST use a strength of function that is at least the same strength of function as a digital signature 
performed using a 2048 bit RSA key. 

5. Process the maintenance information and update the SRK and TCPA_PERSISTENT_DATA -> 
tpmProof fields. 

6. Set the SRK useageAuth to be the same as TPM Owners authorization 
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7.3.3 TPM_KillMaintenanceFeature 




Type 

Optional; TCPA protected capability; user must provide authentication from the TPM Owner. 
Incoming Operands and Sizes 



PARAM 


HMAC 


Type 




Name 


Description 


# 


SZ 




SZ 




1 


2 






TCPA_TAG 


tag 


TPM_TAG_RQU_AUTH1_COMMAND 


2 


4 






UINT32 - 


paramSi26 


Total number of input bytes including paramSize and tag 


3 


4 


1s 


4 


TCPA_COMMAND_CODE 


ordinal 


Command ordinal: TPM_ORD_KilIMainlenanceFeature 


4 


4 






T C P A_ AU 7 H HANOI E 


authHandle 


The authorization handle used for owner authorization. 






2 m 


20 


TCPA.NONCE 


authLastNonceEven 


Even nonce previously generated by TPM to cover 
inputs 


5 


20 


3hi 


20 


TCPA.NONCE 


nonceOdd 


Nonce generated by system associated with authHandle 


6 


1 


4hi 


1 


BOOL 


continueAutbSession 


The continue use flag for the authorization handle 


7 


20 






TCPA_AUTHDATA 


ownerAuth 


The authorization digest for inputs and owner 
authorization. HMAC key: ownerAuth. 


Outgoing Operands and Sizes 


PARAM 


HMAC 


Type 


Name 


Description 


# 


SZ 


ft 


SZ 


1 


2 






TCPA_TAG 


tag 


TPM_TAG_RSP_AUTH1_ COMMAND 


2 


4 






UINT32 


paramSize 


Total number of output bytes including paramSize and tag 


3 


4 


1s 


4 


TCPA_RESULT 


returnCode 


The return code of the operation. See section 4.3. 






2s 


4 


TCPA_COMMAND_CODE 


ordinal 


Command ordinal: TPM_ORD_KHIMaintenanceFeature 


4 


20 


2 HI 


20 


TCPA. NONCE 


nonceEven 


Even nonce newly generated by TPM to cover outputs 






3 m 


20 


TCPA. NONCE 


nonceOdd 


Nonce generated by system associated with authHandle 


5 


1 


4hi 


1 


BOOL 


continueAuthSession 


Continue use flag, TRUE if handle is still active 


6 


20 






TCPA.AUTHDATA 


resAuth 


The authorization digest lor the returned parameters. 
HMAC key: ownerAuth. 



Actions 
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2. Set the TCPA_PERSISTENT_FLAGS.AIIowMaintenance flag to FALSE. 
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7.3.4 TPM_LoadManuMaintPub 




Incoming Operands and Sizes 



PARAM 


! HMAC 


Type 




Name 


Description 


ft 


SZ 


# 


SZ 






1 


2 






TCPAJTAG 


lag 


T PM_ TAG. RGILCOMM AN D 


2 


4 






UINT32 


paramSize 


Total number of input bytes including paramSize and tag 


3 


4 






TCPA_COM MAN D_ CODE 


ordinal 


Command ordinal: TPM_ORD_LoadManuMaintPub 


4 


20 






TCPA_NONCE 


anliReplay 


AnliReplay and validation nonce 


5 


<> 






TCPA.PUBKEY 


pubKey 


The public key of ^manufacturer to be in use for 
maintenance 


Outgoing Operands and Sizes 


PARAM 


HMAC 


Type 


Name 


Description 


ft 


SZ 


a 


SZ 


1 


2 






TCPA.TAG 


lag 


TPM_TAG_RSP_ COMMAND 


2 


4 






UINT32 


paramSize 


Total number of output bytes including paramSize and tag 


3 


4 






TCPA_RESUL7 


relurnCode 


The return code of the operation. See section 4.3. 










TCPA_COMMAND_CODE 


ordinal 


Command ordinal: TPM_ORD_LoadManuMainlPub 


4 


20 






TCPA_DIGEST 


checksum 


Digest of pubKey and antiReplay 



Type 

Optional; TCPA protected capability 
Description 

The pubKey MUST specify an algorithm whose strength is not less than the RSA algorithm with 2048bit 
keys. 

pubKey SHOULD unambiguously identify the entity that will perform the maintenance process with the 
TPM Owner. 

TCPA_PERStSTENT_DATA -> ManuMaintPub SHALL exist in a TCPA-shielded location, only. 

If an entity (Platform Entity) does not support the maintenance process but issues a platform credential 
for a platform containing a TPM that supports the maintenance process, the value of 
TCPA, PERSISTENT. DATA -> ManuMaintPub MUST be set to zero before the platform leaves the 
entity's control. 
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Actions 

The first valid TPM_LoadManuMaintPub command received by a TPM SHALL 

1. Store the parameter pubKey as TCPA_PERSISTENT_DATA -> ManuMaintPub. 

2. Create "checksum" by concatenating data to form (pubKey||antiReplay) and passing the 
— concatBnaled-daia-through a SHA-1 hash process. 

3. Export the checksum 

Subsequent calls to TPM_LoadManuMaintPub SHALL return code TCPA_FAIL. 
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7.3.5 TPM_ReadManuMaintPub 




Incoming Operands and Sizes 



PARAM 


HMAC 


Type 


Name 


Description 


# 


SZ 


# 


SZ 




1 


2 






TCPA_TAG 


lag 


TPM.T AG_ RQU_COMMAND 


2 


4 






U1NT32 


paramSize 


Tolal number of input bytes including paramSize and lag 


3 


4 






TCPA_COMMAND_CODE 


ordinal 


Command ordinal: TPMJDRD_ReadManuMaintPub 


4 


20 






TCPA_NONCE 


antiReplay 


AntiReplay and validation nonce 


Outgoing ( 


- 

Operands and Sizes 


PARAM 


HMAC 


Type 


Name 


Description 


# 


SZ 


# 


SZ 


1 


2 






TCPA.TAG 


lag 


TPM_ 7 AG_RSP_ COMMAND 


2 


4 






UINT32 


paramSize 


Tolal number of output bytes including paramSize and tag 


3 


4 






TCPA_RESULT 


relurnCode 


The return code of the operation. See section 4.3. 










TCPA_COMMAND_CODE 


ordinal 


Command ordinal: TPM_ORD_ReadManuMaintPub 


4 


20 






TCPA_DIGEST 


checksum 


Digest of pubKey and antiReplay 



Type 

Optional; TCPA protected capability 
Description 

This command returns the hash of the antiReplay nonce and the previously loaded manufacturers 
maintenance public key. 

Actions 

The TPM_ ReadManuMaintKey command SHALL 

1. Create "checksum" by concatenating data to form (TCPA_PERS 1ST ENT_ DATA -> ManuMaintPub 
||antiReplay) and passing the concatenated data through SHA1. 

2. Export the checksum 
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8. Cryptographic and Miscellaneous Functions 
8.1 Introduction 
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8.2 TPM Hash Operations 




The only commands that SHALL be presented to the TPM in-between a TPM_SHA1 Start command and 
a TPM_SHA1 Complete command SHALL be a variable number (possibly 0) of TPM_SHA1 Update 
commands. 



The only commands that SHALL be presented to the TPM in-between a TPM_SHA1 Start command and 
a TPM_SHA1CompleteExtend command SHALL be a variable number (possibly 0) of TPM_SHA1 Update 
commands. 
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8.2.1 TPM_SHA1Start 
Type 

TCPA protected capability 
Incoming Operands and Sizes 




PARAM 


HMAC 


Type 


Name 


Description 


# 


SZ 




SZ 


1 


2 






7CPA.TAG 


tag 


TPM_TAG_RQU_COMMAND 


2 


4 






UINT32 


paramSize 


Total number ot input bytes including paramSize and lag 


3 


4 






TCPA_COMMAN DECODE 


ordinal 


Command ordinal, fixed value of TPM_ORD_SHA1 Start 


Outgoing Operands and Sizes 


PARAM 


HMAC 


Type ^ 


Name 


Description 


# 


SZ 


# 


SZ 


1 


2 






TCPA_TAG 


lag 


TPM_TAG_RSP._ COMMAND 


2 


4 






U1NT32 


paramSize 


Total number of output bytes including paramSize and tag 


3 


4 






TCPA.RESULT 


returnCode 


The return code of the operation. See section 4.3. 


4 


4 






UINT32 


maxNumBytes 


Maximum number of bytes that can be sent to 
TPM_SHA1Update. Musi be a multiple of 64 bytes. 



Description 

This capability prepares the TPM for a subsequent TPM_SHA1 Update, TPM_SHA1 Complete or 
TPM_SHA1CornpleteExtend command. The capability SHALL open a thread that calculates a SHA-1 
digest. 
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8.2.2 TPM_SHA1Update 




Type 

TCPA protected capability 
Incoming Operands and Sizes 



PARAM 


HMAC 


Type 


Name 


Description 


# 


SZ 




SZ 


t 


2 






TCPA.TAG 


lag 


TPM_TAG_RQU_ COMMAND 


2 


4 






UINT32 


paramSize 


Total number of input bytes including paramSize and tag 


3 


. 4 






TCPA_ COMMAND_CODE 


ordinal 


Command ordinal, fixed value of TPM_ORD_SHA1 Update 


4 


4 






UINT32 


numBytes 


The number of bytes in hashData. Must be a multiple of 64 
bytes. 


5 


<> 






BYTE | ] 


hashData 


Bytes to be hashed 


Outgoing Operands and Si2es 


PARAM 


HMAC 


Type 


Name 


Description 


# 


SZ 




SZ 


1 


2 






TCPA_TAG 


lag 


TPM_TAG_RSP_ COMMAND 


2 


4 






UINT32 


paramSize 


Total number of output bytes including paramSize and lag 

• 


3 


4 






TCPA RESULT 


returnCode ! 


The return code of the operation. See section 4.3. 



Description . 

This command SHALL incorporate complete blocks of data intqthe digest of an existing SHA-1 thread. 
Only integral numbers of complete blocks (64 bytes each) can be processed. 
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8.2.3 TPM_SHA1Complete 




Type 

TCPA protected capability 
Incoming Operands and Sizes 



PARAM 


HMAC 


Type 


Name 


Description 


# 


SZ 


# 


SZ 




1 


2 






TCPA.TAG 


tag 


TPM_TAG_RQU_COMMAND 


2 


4 






UINT32 


paramSize 


Total number of input bytes including paramSize and lag 


3 


4 






TCPA_COMMAND_CODE 


ordinal 


Command ordinal, fixed value of TPM_0RD_SHA1 Complete 


4 


4 






UINT32 


hashDataSi2E 


Number of bytes in hashData, MUST be 64 or less 


5 


<> 






BYTE [ ] 


hashData 


Final bytes to be hashed 


Outgoing Operands and Sizes ^ 


PARAM 


HMAC 


Type 


Name 


Description . 


# 


SZ 


# 


SZ 




1 


2 






TCPA_TAG 


lag 


TPM_TAG_RSP_COMMAND 


2 


4 






UINT32 


paramSize 


Total number of output bytes including paramSize and tag 


3 


4 






TCPA^RESULT 


relurnCode 


The return code of the operation. See section 4.3. 


4 


20 






TCPA^DIGEST 


hashValue 


The output of the SHA-1 hash. 



Description 

This command SHALL incorporate a partial or complete block of data into the digest of an existing SHA-1 
thread, and terminate that thread. hashDataSize MAY have values in the range of 0 through 64, inclusive. 
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8.2.4 TPWLSHAICompleteExtend 




Type 

TCPA protected capability 
Incoming Operands and Sizes 



PARAM 


HMAC 


Type 


Name 


Description 


# 


SZ 


# 


SZ 




1 


2 






TCPA.TAG 


tag 


TPMJFAG_RQU_COMMAND 


2 


4 






UINT32 


paramSize 


Total number of input byles including paramSize and tag 


3 


4 






TCPA_COMMAND_CODE 


ordinal 


Command ordinal, fixed value of 
TPM_ORD_SHA1CompleleExtend 


4 


4 






TCPA.PCRINDEX 


pcrNum ^ 


Index ol the PCR to be modified 


5 


4 






UINT32 


hashDalaSize 


Number of bytes in hashDala, MUST be 64 or less 


6 


<> 






BYTE ( ] 


hashDala 


Final bytes to be hashed 


Outgoing ( 


operands and Sizes 


PARAM 


HMAC 


Type 


Name 


Description 


it 


SZ 


# 


SZ 


1 


2 






TCPA_TAG 


tag 


TPM_TAG_RSP_ COMMAND 


2 


4 






UINT32 


paramSize 


Total number of output byles including paramSize and tag 


3 


4 






TCPA.RESULT 


returnCode 


The return code of the operalion. See section 4.3. 


4 


20 






TCPA_DIGEST 


hashValue 


The output of the SHA-1 hash. 


5 


20 






TCPA.PCRVALUE 


outDigesl 


The PCR value after execution of the command. 



Description 

This command SHALL incorporate a partial or complete block of data info the digest of an existing SHA-1 
thread, EXTEND the resultant digest into a PCR, and terminate the thread. hashDataSize MAY have 
values in the range of 0 through 64, inclusive. 
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8.3 Key Certification 
8.3.1 TPM_CertifyKey 



EBB 
Type 

TCPA protected capability; user must authorize the use of key pointed to by idHandle and the key pointed 
to by keyHandle. \ 

Incoming Operands and Sizes 



PARAM 


HMAC 


Type 


Name 


Description 


# 


SZ 




SZ 






1 


2 






TCPA_TAG 


lag 


TPMJTAG_RQILAUTH2_C0MMAND 


2 


4 






UINT32 


paramSize 


Total number ot input bytes including paramSize and 
tag 


3 


4 


1s 


4 


TCPA_COMMAND_CODE 


ordinal 


Command ordinal, fixed at TPM_ORD_ Certify Key 


4 


4 






TCPA.KEY.HANDLE 


certHandle 


Handle of the key to be used to certify the key. 


5 


4 






TCPA_KEY_HANDLE 


keyHandle 


Handle of the key to be certified. 


6 


20 


2s 


20 


TCPA_ NONCE 


antiReplay 


160 bits of externally supplied data (typically a nonce 
provided to prevent replay-attacks) 


7 


4 






TCPA_AUTHHANDLE 


cerlAuthHandle 


The authorization handle used tor certHandle. 






2 m 


20 


TCPA_ NONCE 


authLastNonceEven 


Even nonce previously generated by TPM to cover 
inputs 


8 


20 


3 m 


20 


TCPA.NONCE 


nonceOdd 


Nonce generated by system associated with 
cerlAuthHandle 


9 


1 


4 hi 


1 


BOOL 


continueAulhSession 


The continue use flag tor the authorization handle 


10 


20 






TCPA.AUTHDATA 


certAutn 


The authorization digest for inputs and certHandle. 
HMAC key: cerlKey.auth. 


11 


4 






TCPA_AUTHHANDLE 


keyAulhHandle 


The authorization handle used for the key to be signed. 






2H2 


20 


TCPA.NONCE 


keylastNonceEven 


Even nonce previously generated by TPM 


12 


20 


3h2 


20 


TCPA.NONCE 


keynonceOdd 


Nonce generated by system associated with 
keyAuthHandle 
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13 


/ 


4H2 




BOOL 


continueKeySession 


The continue use flag for the authorization handle 


14 


20 






TCPA.AUTHDATA 


keyAuth 


The authorization digest for the inputs and key to be 
signed. HMAC key: key.usageAuth. 



Outgoing Operands and Sizes 



Param 


HMAC 


Type 


Name 


Description 


# 


Sz 


# 


Sz 






1 


2 






TCPA.TAG 


tag 


TPM_TAG_RSP_AUTH2_ COMMAND 


2 








UINT32 


paramSize 


Total number of output bytes including paramSize and 
tag 


3 




1s 


4 


TCPA_ RESULT 


returnCode 


The return code of the operation. See section 4.3. 






2s 


4 


TCPA_COMMAND_CODE 


ordinal 


Command ordinal TPM.ORD.CertifyKey 


4 


95 


3s 


95 


TCPA.CERTIFYJNFO 


certifylnlo 


The certifylnfo structure that corresponds to the 
signed key. 


c 
0 


4 


Am. 

4s 


4 


UINT32 


outDataSi2e 


The used size of the output area for outData 


6 


<> 


5s 


<> 


BYTE|] 


outData 


The signed public key. 


7 


20 


2 HI 


20 


TCPA. NONCE 


nonceEven 


Everknonce newly generated by TPM 






3 HI 


20 


TCPA.NONCE 


nonceOdd 


Nonce generated by system associated with 
cerlAulhHandle 


8 


1 


4 HI 


1. 


BOOi. 


continueAuthSession 


Continue use flag for cerl key session 


9 


20 




20 


TCPA.AUTHDATA 


resAuth 


The authorization digest for the returned parameters 
and parentHandle. HMAC key: certKey -> aulh. 


10 


20 


2H2 


20 


TCPA.NONCE 


keyNonceEven 


Even nonce newly generated by TPM 






3H2 


20 


T CPA. NONCE 


keynonceOdc 


Nonce generated by system associated with 
keyAuthHandle 


11 


1 


4H2 


1 


BOOL 


continueKeyAuthSession 


Continue use flag for target key session 


12 


20 






TCPA.AUTHDATA 


keyAuth 


The authorization digest for the target key. HMAC 
key: key.auth. 



Actions 

1. The TPM validates thai the key pointed to by certHandle has a signature scheme of 
TCPA_SS_RSASSAPKCS1v15_SHA1. 

2. The TPM verifies the authorization in certAuthHandle provides authorization to use the key pointed to 
by certHandle. 

3. The TPM verifies the authorization in keyAuthHandle provides authorization to use the key pointed to 
by keyHandle. 

4. If the key pointed to by certHandle is an identity key <certHandle:TCPA_KEY -> keyUsage is 
TPM_KEY_ IDENTITY), the TPM verifies that the key pointed to by keyHandle is a non-migratory key. 

5. The TPM SHALL create a d a TCPA_CERTIFY_ INFO (defined in section 4.28) structure from the 
key pointed to by keyHandle. 

6. The TPM calculates the digest of the (public key) keyHandle -> pubKey -> key and stores it in the c1 - 
> pubkeyDigest. 
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7. The TPM copies the antiReplay parameter to the TCPA_CERTIFYJNFO d -> data. 

8. If pcrlnfoSize is not 0 for the key pointed by keyHandle, 

a. The TPM MUST set d -> pcrlnfoSize to match the pcrlnfoSize from the keyHandle key. 

b. The TPM MUST set c1 -> pcrlnfo to match the pcrlnfo from the keyHandle key. 

c. The TPM MUST set d -> digestAtCreation to 20 bytes of 0x00. 

9. If pcrlnfoSize is 0 for the key pointed to by keyHandle 

a. The TPM MUST set d -> pcrlnfoSize to 0 

10. The TPM creates ml, a message digest formed by taking the SHA1 of c1. 

11. The TPM then performs a signature using certHandle -> sigScheme. The resulting signed blob is 
returned in outData. 
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8.4 TPM Internal Asymmetric Encryption 




The TPM MUST check that the encryption scheme defined for use with the key is a valid scheme for the 
key type, as follows: 





' Approved schemes;^: vv.^ 


• Scheme Valued 


TCPA_ ALG_ RSA 


TCPA ES NONE 


0x0001 


TCPA ES RSAESPKCSv15 


0x0002 


TCPA_ES_RSAESOAEP_SHA1_MGM 


0x0003 



For a TPM_UNBIND command where the parent key has pubKey.algorithmld equal to TCPA_ALG_RSA 
and pubKey.encScheme set to TCPA_ES_RSAESPKCSv15 the TPM SHALL NOT expect a 
PAYLOADJTYPE structure to pre-pend the decrypted data. 

The TPM MUST perform the encryption or decryption in accordance with the specification of the 
encryption scheme, as described below. 

When a null terminated string is included in a calculation, the terminating null SHALL NOT be included in 
the calculation. 
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8.4.1 TCPA_ES_RSAESOAEP_SHA1_MGF1 

The encryption and decryption MUST be performed using the scheme RSA_ES_OAEP defined in [PKCS 
#1v2.0: 8.1] using SHA1 as the hash algorithm for the encoding operation. 

1. Encryption 

a. The OAEP encoding P parameter MUST be the NULL terminated string TCPA". 

b. If there is an error with the encryption the TPM must return the error 
TCPA_ENCRYPT_ERROR. 

2. Decryption 

a. The OAEP decoding P parameter MUST be the NULL terminated string "TCPA". 

b. If there is an error with the decryption, the TPM must return the error 
TCPA_DECRYPT_ERROR. 

8.4.2 TCPA_ES_RSAESPKCSV15 

The encryption MUST be performed using the scheme RSA_ES_PKCSV15 defined in [PKCS #1v2.0: 
8.1). 

1. Encryption 

a. If there is an error with the encryption, return the error !TCPA_ENCRYPT_ ERROR. 

2. Decryption 

a. If there is an error with the decryption, return the error TCPA_ DECRYPT. ERROR. 

8.5 TPM Internal Digital Signatures 




The TPM MUST check that the signature scheme defined for use with the key is a valid scheme for the 
key type, as follows: 



Key algorithm ; ^ ; yj 


Approved schemesof^^- ^ 


Scheme Value **'r.-vfc, 


TCPA_ALG_RSA 


TCPA_SS_NONE 


0x0001 




TCPA_SS_RSASSAPKCS1v15_SHA1 


0x0002 




TCPA_SS_RSASSAPKCS1v15_DER 


0x0003 



The TPM MUST perform the signature or verification in accordance with the specification of the signature 
scheme, as described below. 

8.5.1 TCPA_SS_RSASSAPKCS1v15_SHA1 

The signature MUST be performed using the scheme RSASSA-PKCS1-v1.5 defined in [PKCS #1v2.0: 
8.1] using SHA1 as the hash algorithm for the encoding operation. 
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8.5.2 TCPA_SS_RSASSAPKCS1v15_DER 

The signature MUST be performed using the scheme RSASSA-PKCS1-v1.5 defined in [PKCS #1v2.0: 
8.1). The caller must properly format the area to sign using the DER rules. The provided area maximum 
size is /c-1 1 octets. 



8.6 HMAC Calculation 




The TPM MUST support the calculation of an HMAC according to RFC 2104. 

The size of the key (K in RFC 2104) MUST be 20 bytes. The block size (B in RFC 2104) MUST be 64 
bytes. 

The order of the parameters is critical to the TPM's ability to recreate the HMAC. Not all of the fields are 
sent on the wire for each command for instance only one of the nonce values travels on the wire. The 
order of the parameters is set by section 4.4. 

Each function indicates what parameters are involved in the HMAC calculation. 
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8.7 Digital Signatures 
8.7.1 TPNLSign 




Type 

TCPA protected capability; user must provide authorization to use the keyHandle parameter. 
Incoming Operands and Sizes 



PARAM 


HMAC 


Type 


Name 


Description 




SZ 




SZ 


t 


2 






TCPA.TAG 


tag 


TPM_TAG_RQU_AUTH1_COMMAND 


2 


4 






UINT32 


paramSize 


Total number of input bytes including paramSize and tag 


3 


4 


1s 


4 


TCPA_COMMAND_CODE 


ordinal 


Command ordinal, fixed value of TPM_ORD_Sign. 


4 


4 






TCPA_KEY_HANDLE 


keyHandle 


The keyHandle identifier of a loaded key that can perform 
digital signatures. 


5 


4 


2s 


4 


UINT32 


areaToSignSize 


The size of the areaToSign parameter 


6 


<> 


3s 


<> 


BYTEQ 


areaToSign 


The vaiue to sign 


7 


4 






TCPA_AUTHHANDLE 


authHandle 


The authorization handle used for keyHandle 
authorization 






2 HI 


20 


TCPA_ NONCE 


authLastNonceEven 


Even nonce previously generated by TPM to cover inputs 


8 


20 


3 m 


20 


TCPA, NONCE 


nonceOdd 


Nonce generated by system associated with authHandle 


9 


1 


4 H1 


1 


BOOL 


continueAulhSession 


The continue use flag for the authorization handle 


10 


20 






TCPA.AUTHDATA 


privAuth 


The authorization digest that authorizes the use of 
keyHandle. HMAC key: key.usageAuth 


Outgoing Operands and Sizes 


PARAM 


HMAC 


Type 


Name 


Description 


it 


SZ 


# 


SZ 


1 


2 






TCPA_TAG 


tag 


TPM_TAG_RSP_AUTH1_COMMAND 


2 


4 






UINT32 


paramSize 


Total number of output bytes including paramSize and tag 


3 


4 


1s 


4 


TCPA.RESUL7 


relurnCode 


The return code of the operation. See section 4.3. 






2s 


4 


TCPA_COMMAND_CODE 


ordinal 


Command ordinal, fixed value of TPM_ORD_Sign. 


4 


4 


3s 


4 


UINT32 


sigSize 


The length ol the returned digital signature 


5 


<> 


4s 


<> 


BYTEI) 


sig 


The resulting digital signature. 


6 


20 


2hi 


20 


TCPA.NONCE 


nonceEven 


Even nonce newly generated by TPM io cover outputs 






3 HI 


20 


TCPA.NONCE 


nonceOdd 


Nonce generated by system associated with authHandle 


7 


1 


4 HI 


1 


BOOL 


continueAulhSession 


Continue use flag, TRUE if handle is still active 
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8 


20 






TCPAJUJ7HDATA 


resAuth 


The authorization digest for the returned parameters. 
HMAC key: key.usageAuih 



Description 

/ The TPM MUST support all values of areaToSignSize that are legal for the defined signature scheme and 
key size. The maximum value of areaToSignSize is determined by the defined signature scheme and key 
size, in the case of PKCS1 v1 5_ SHA1 the areaToSignSize MUST be TGPA_DIGEST (the hash size of a 
shal operation ? see $.5^1 TC^A_SS^R5ASSAPKCSiv15„SHA1). In the case of PKCS1 v15__DER the 
maximum size of areaToSign is k-11 octets, where k is limited by the key size (see 8.5.2 
TCPA_SS_RSASSAPKCS1v15_DER). 

Actions 

1. If the areaToSignSize is 0 the TPM returns TCPA_BAD_ PARAMETER. 

2. The TPM validates the authorization to use the key pointed to by keyHandle. 

3. Validate that keyHandle -> keyUsage is TPM_KEY_SIGN or TPM_KEY_LEGACY, if not return the 
error code TCPAJNVALID_KEYUSAGE 

4. The TPM verifies that the signature scheme used by the key referenced by keyHandle is a valid and 
supported signature scheme. 

5. The TPM verifies that the signature scheme and key size can properly sign the areaToSign 
parameter. \ 

\ 6. The TPM computes the signature, sig, using the key referenced by keyHandle, using with areaToSign 
as the information to be signed 
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8.8 Random Numbers 
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8.8.1 TPWL Get Random 




TCPA protected capability. 
Incoming Operands and Sizes 



. PARAM, 


HMAC 


Type 


Name 


Description 


# 


SZ 




SZ 




1 


2 






TCPA.TAG 


tag 


TPMJTAG.RQU.COMMAND 


2 


4 






UINT32 


paramSi2e 


Total number of input bytes including paramSize and tag 


3 


4 






TCPA_COMMAND_CODE 


ordinal 


Command ordinal, fixed value of TPM_ORD_GetRandom. 


4 


4 






UINT32 


bytesRequested 


Number of bytes lo return 



Outgoing Operands and Sizes 



PARAM 


HMAC 


Type 


Name 


Description 


ft 


SZ 


# 


SZ 


1 


2 






TCPA_TAG 


lag 


TPM^T AG_ RSP_ COMMAND 


2 


4 






UINT32 


paramSize 


Total number of output bytes including paramSize and tag 


3 


4 






TCPA. RESULT 


rejurnCode 


The return code of the operation. See section 4.3. 


4 


4 






UINT32 


randomBytesSize 


The number of bytes returned 


5 


<> 






BYTE[] 


randomByles 


The returned bytes 



Actions 

1 . The TPM determines if amount bytesRequested is available from the TPM. 

2. Set randomBytesSize to the number of bytes available from the RNG. This number MAY be less than 
randomBytesSize. 

3. Set randomBytes to the next randomBytesSize bytes from the RNG 

4. It is RECOMMENDED that a TPM implement the RNG in a manner that would allow it to return RNG 
bytes such that the frequency of bytesRequested being less than the number of bytes available be a 
infrequent occurrence. 
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8.8.2 TPM_StirRandom 




Type 

TCPA protected capability. 
Incoming Operands and Sizes 



PARAM 


HMAC 


Type 


Name 


Description 


# 


SZ 


ft 


SZ 


1. 


2 






TCPA.TAG 


lag 


T PM_T AG_ RQU_COMM AND 


2 


4 






UINT32 


paramSize 


Total number of input byles including paramSize and tag 


3 


4 






TCPA_COMMAND_CODE 


ordinal 


Command ordinal, fixed value of TPM_ORD_StirRandom 


4 


4 






UINT32 


dataSize 


Number of bytes of input (<256) 


5 


<> 






BYTEf] 


inDala 


Data to add entropy to RNG state 


Outgoing Operands and Sizes 


PARAM 


HMAC 


Type 


Name 


Description 


a 


SZ 


ti 


SZ 


1 


2 






TCPA_TAG i 


tag 


TPM_TAG_RSP_COMMAND 


2 


4 






UINT32 


paramSize 


Total number of output bytes including paramSize and tag 


3 


4 






TCPA_RESULT 


returnCode 


The return code of the operation. See section 4.3. 



Actions 

The TPM updates the state of the current RNG using the appropriate mixing function. 
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At startup, a TPM MUST self-test all internal functions that are necessary to do TPM_SHA1 Start, 
TPM_SHA1 Update, TPM_SHA1Complete, TPM_SHA1CompleteExtend, TPM_Extend, TPM_ Startup, 
TPM_ContinueSelfTest. This process MUST take 20ms or less. 

TSC commands do not operate on shielded locations and have no requirement to be self tested before 
any use. TPM's SHOULD test these functions before operation. 

Some internal functions MUST be tested before the TPM responds to any capability (see 10.8.1). Some 
internal functions SHOULD be tested before the TPM responds to any capability (see 10.8.2). 

If self test has failed, the TPM SHALL respond to ail commands (except the update commands) with the 
error code TCPA.FAILEDSELFTEST (see 10.8.3). 

If the functions used by a capability have not been tested, TPM_ContinueSelfTest is executed 
automatically after that capability is called and before it is executed returning the error 
TCPA_NEED_ SELFTEST 
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8.9.1 TPNLSelfTestFull 




Type 

TCPA protected capability 
Incoming Operands and Sizes 



PARAM 


HMAC 


Type 


Name 


Description 


# 


SZ 




SZ 




1 


2 






TCPA_TAG 


tag 


TPM_TAG_RQU_COMMAND 


2 


4 






UINT32 


paramSize 


Total number of input bytes including paramSize and tag 


3 


4 






TCPA_COMMAND_CODE 


ordinal 


Command ordinal, fixed value of TPM_ORD_SelfTestFull 


Outgoing ( 


Operands an 


d Sizes 


PARAM 


HMAC 


Type 


Name 


Description 


# 


SZ 


# 


SZ 


1 


2 






TCPA.JAG 


lag 


TPM_TAG_RSP_COMMAND 


2 


4 






UINT32 


paramSize 


Total number ol oulpul byles including paramSize and lap 


3 


4 






TCPA_RESULT 


returnCode 


The return code of the operation. See section 4.3. 



Actions 

■g. TPM_SelfTestFull SHALL (Jause a TPM to perform self-test of each TPM internal function 
2. Failure of any test results in overall failure, and the TPM goes into failure mode. 
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8.9.2 TPWLCertifySelfTest 




Type 

TCPA protected capability; user must provide authorization to use the keyHandle parameter. 
Incoming Operands and Sizes 



PARAM 


HMAC 


Type , 


Name 


Description 


# 


SZ 




SZ 


1 


2 






TCPA.TAG 


tag 


TPMJTAG_RQU_AUTH1_COMMAND 


2 


4 






UINT32 


paramSize 


Total number ot input bytes including paramSize and tag 


3 


4 


1s 


4 


TCPA_COMMAND_CODE 


ordinal 


Command ordinal: TPM_ORD_CertifySelfTest 


4 


4 






TCPA_KEY_HANDLE 


keyHandle 


The keyHandle identifier of a loaded key that can periorm 
digital signatures. 


5 


20 


2s 


20 


TCPA_NONCE 


anliReplay 


AnitReplay nonce to prevent replay of messages 


6 


4 






TCPA_AUTHHANDLE 


authHandle 


The authorization handle used for keyHandle 
authorization 






2 m 


20 


TCPA_NONCE 


authLasiNonceEven 


Even nonce previously generated by TPM to cover inputs 


7 


20 


3 hi 


20 


TCPA.NONCE 


nonceOdd 


Nonce generated by system associated with authHandle 


8 


1 


4 HI 


1 


BOOL 


continueAulhSession 


The continue use flag tor the authorization handle 


9 


20 






TCPA_AUTHDATA 


privAuth 


The authorization digest that authorizes the inputs and 
use of keyHandle. HMAC key: key.usageAuth 


Outgoing Operands and Sizes 


PARAM 


HMAC 


Type 


Name 


Description 


# 


SZ 


# 


SZ 


1 


2 






TCPA„TAG 


tag 


TPM_TAG_RSP_AUTH1_COMMAND 


2 


4 






UINT32 


paramSize 


Total number of output bytes including paramSize and tag 


3 


4 


Is 


4 


TCPA_ RESULT 


reiurnCode 


The return code of the operation. See section 4.3. 






2s 


4 


TCPA.COMMAND.CODE 


ordinal 


Command ordinal: TPM_ORD_ Certify SelfTest 


A 


4 


3s 


4 


UINT32 


sigSize 


The length of the returned digital signature 


5 


<> 


4s 


<> 


BYTE|] 


sic 


The resulting digital signature. 


6 


20 


2 m 


20 


TCPA_ NONCE 


nonceEven 


Even nonce newly generated by TPM to cover outputs 
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3 HI 


20 


TCPA.NONCE 


nonceOdd 


Nonce generated by system associated with authHandle 


7 


/ 


4hi 


1 


BOOL 


conlinueAuthSession 


Continue use flag, TRUE if handle is still active 


8 


20 






TCPA.AUTHDATA 


resAulh 


The authorization digest for the returned parameters. 
HMAC key: key.usageAuth 



Description 

The key in keyHandle MUST have a KEYUSAGE value of type TPM KEY SIGNING 
TPM_ KEY. LEGACY or TPM_KEY_ IDENTITY. 

Informalion returned by TPM_CertifySelfTest MUST NOT aid identification of an individual TPM. 
Actions 

1. The TPM SHALL perform TPM_SelfTestFull. If the test fails the TPM returns the appropriate e 
code. 

2. After successful completion of the self-test the TPM then validates the authorization to use the 
pointed to by keyHandle. 

3. Create t1 the null terminated string of "Test Passed" 

4. The TPM creates m2 the message to sign by concatenating t1 || AntiReplay || ordinal. 

5. The TPM signs m2 using the key identified by keyHandle, and returns the signature as sig. 
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8.9.3 TPWLContinueSelfTest 




Type 

TCPA protected capability 
Incoming Operands and Sizes 



PARAM 


HMAC 


Type 


Name 


Description 


# 


SZ 


# 


SZ 


1 


2 






TCPA_TAG 


tag 


TPM.TAG.RQU.COMMAND 


2 


4 






UINT32 


paramSize 


Total number of input bytes including paramSize and tag 


3 


4 






TCPA_COMMAND_CODE 


ordinal 


Command ordinal, fixed value of TPM_ORD_ContinueSelfTest 


Outgoing Operands and Sizes 


PARAM 


HMAC 


Type 


Name 


Description 


# 


SZ 




SZ 


1 


2 






TCPA_TAG 


lag 


TPM_TAG_RSP_ COMMAND 


2 


4 






UINT32 


paramSize 


Total number of output bytes including paramSize and tag 


3 


4 






TCPA_ RESULT 


returnCode 


The return code of the operation. See section 4.3. 



Actions 

TPM_ContinueSelfTest SHALL cause the TPM to do ail self-tests that are outstanding, since startup. It 
SHALL immediately respond to the caller with a return code. When TPM_ContinueSelfTest finishes 
execution, it SHALL NOT respond to the caller with a return code. 

The TPM SHALL unilaterally execute the functions of TPM_ContinueSelfTest upon receipt of a command 
that calls a capability-X that uses untested TPM functions. If the self-test fails, the TPM SHALL return the 
error code TCPA_FAILEDSELFTEST. If the self-test passes, the TPM SHALL execute capability-X. 
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8.9.4 TPM_GetTestResult 




Type 

TCPA protected capability 
Incoming Operands and Sizes 



PARAM 


HMAC 


Type 


Name 


Description 


# 


SZ 


# 


SZ 




1 


2 






TCPA_TAG 


lag 


TPM_TAG_RQU_ COMMAND 


2 


4 






UINT32 


paramSize 


Total number of input bytes including paramSize and tag 


3 


4 






TCPA_COMMAND_CODE 


ordinal 


Command ordinal, fixed value of TPM_ORD_GetTestResuH 


Outgoing Operands and Sizes 


PARAM 


HMAC 


Type 


Name 


Description 


# 


SZ 


# 


SZ 


1 


2 






TCPA_TAG 


tag 


TPM_TAG_RSP_COMMAND 


2 


4 






UINT32 


paramSize 


Total number of output bytes including paramSize and tag 


3 


4 






TCPA_RESULT 


relurnCode 


The return code of the operation. See section 4.3. 


4 


4 






UINT32 


outDalaSize 


The size of the outData area 


5 


<> 






BYTEQ 


outData 


The outData this is manufacturer specific 



Actions 

The TPM SHALL respond to this command with a manufacturer specific block of information that 
describes the result of the latest self test. 

The information MUST NOT contain any data that uniquely identifies an individual TPM. 
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8.10 Reset and Clear Operations 




The TPM MUST support the reset operation. The reset operation clears all handles, authorization 
sessions and volatile slate machines. The reset MUST NOT affect the SRK, PCR and flags such as the 
flag set by TPM_DisableForceClear. 

The TPM MUST support the clear operations. The clear operation MUST perform the following actions: 

• Perform a reset operation 

• Delete the SRK 

• Reset all non-volatile values to factory default except the endorsement key pair 

• Return TCPA_NOSRK until there is a proper execution of the ownership function 

The TPM MUST support disabling the clear operations. After execution of the TPM_ DisableOwnerClear 
the TPM MUST require physical access to execute the TPM_ForceClear. The TPM MUST support the 
TPM_DisableForceClear to disable the TPM_ForceClear command. The TPM_DisableForceClear 
command MUST execute on each startup cycle to be effective. 
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8.10.1 TPNLReset 



Wmm&M^mmmm • liiilill in I i 11 - llltili 



Type 

TCPA protected capability. 
Incoming Operands and Sizes 



PARAM 


HMAC 


Type 


Name 


Description 


# 


SZ 


# 


SZ 






1 


2 






TCPA_TAG 


tag 


TPM_TAG_RQU_COMMAND 


2 


4 






UINT32 


paramSize 


Total number of input bytes including paramSi2e and tag 


3 


4 






TCPA_COMMAND_CODE 


ordinal 


Command ordinal, fixed value of TPM_0RD_ Reset. 


Outgoing Operands and Sizes 


PARAM 


HMAC 


Type 


Name 


Description 




SZ 


# 


SZ 




1 


2 






TCPA.TAG 


lag 


TPM_TAG_RSP_ COMMAND 


2 


4 






UINT32 


paramSi2e 


Total number of output bytes including paramSize and tag 


3 


4 






TCPA_RESULT 


relurnCode 


The return code of the operation. See section 4.3. 1 



Actions 

1. The TPM frees all resources allocated to authorization sessions extant in the TPM 

2. The TPM does not reset any PCR or DIR values. 

3. The TPM does not reset any flags in the TCPA_VOLATILE_FLAGS structure. 

4. The TPM does not reset or delete any keys 
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8.10.2 TPMJnit 




Definition 

TPM_Init () ; 

Type 

TCPA protected capability that requires physical indication from the platform 

Parameters 

None 

Description 

The platform MUST be designed such that if the TPMJnit signal is asserted the entire Platform MUST be 
initialized. This prevents, at least with a minimum effort, someone touching the TPMJnit pin on the TPM 
and resetting only the TPM. 

The TPMJnit signal MUST have signaling qualifications appropriate for the required conformance and 
Protection Profile for the Platform. 

Actions 

1. The TPM performs a TPM_Reset. 

2. The TPM sets TCPA_VOLATILE_FLAGS -> postlnitialise to TRUE. See 4.13.3 for details of the 
"postlnitialise" state. 
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8.10.3 TPM_SaveState 




Type 

TCPA protected capability 
Incoming Operands and Sizes 



PAPAM 


HMAC 


Type 


Name 


Description 


# 


SZ 


# 


SZ 


1 


2 






TCPA.TAG 


lag 


TPM_TAG_RQU_ COMMAND 


2 


4 






UINT32 


paramSize 


Total number of input bytes including paramSize and tag 


3 


4 






TCPA_COMMAND_CODE 


ordinal 


Command ordinal, fixed value of TPM_ORD_SaveState. 


Outgoing Operands and Sizes 


PAPAM 


HMAC 


Type 


Name 


Description 


# 


SZ 


ft 


SZ 


1 


2 






TCPA.TAG 


tag 


TPM_TAG_RSP_COMMAND 


2 


4 






UINT32 


paramSize 


Total number of output bytes including paramSize and lag 


3 


4 






TCPA_ RESULT 


returnCode 


The return code of the operation. See section 4.3. 



Description 

Preserved values MUST be non-volatile. 

If data is never stored in a volatHe medium, that data MAY be used as preserved data. In such cases, no 
explicit action may be required to preserve that data. 

If an explicit action is required to preserve data, it MUST be possible to determine whether preserved 
data is valid. 

If the parameter mirrored by a preserved value is altered, the preserved value MUST be declared invalid. 
If the parameter mirrored by any preserved value is altered, all preserved values MAY be declared 
invalid. 

Actions 

1. The contents of all PCRs MUST be preserved. 

2. The contents of the auditDigest MUST be preserved. 

3. The state of the flags: 

i. TCPA_VOLATILE_FLAGS -> PhysicalPresence 

ii. TCPA_VOLATILE_ FLAGS -> PhysicalPresenceLock 
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iii. TCPA_VOLATILE_FLAGS -> deactivated 

iv. TCPA_VOLATILE_FLAGS -> disableForceClear 
MUST be preserved. 

A. The contents of any key that is currently loaded SHOULD be preserved if the key's parentPCRStatus 
■" indiWtbFis d FACSE" % and its IsVolatile indicator is FALSE. The contents of any key that is currently 
loaded MAY be preserved if its parentPCRStatus indicator is TRUE or its IsVolatile indicator is TRUE. 
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8.10.4 TPTVLStartup 




Type 

TCPA protected capability 
Incoming Operands and Sizes 



* PARAM 


HMAC 


Type 


Name 


Description 


# 


SZ 




SZ 




1 


2 






TCPA.TAG 


tag 


TPM_TAG_RQU_COMMAND 


2 


4 






UINT32 


paramSize 


Total number of input bytes including paramSize and tag 


3 


4 






TCPA__COMMAND_CODE 


ordinal 


Command ordinal, fixed value of TPM_ORD_Startup 


4 


2 






TCPA_ ST ARTUP_TYPE 


starlupType 


Type of startup that is occurring 


Outgoing Operands and Sizes 


PARAM 


HMAC 


Type 


Name 


Description j 


# 


SZ 




SZ 


1 


2 






TCPA.TAG 


tag 


TPM_TAG_RSP_COMMAND 


2 


4 






UINT32 


paramSize 


Total number of output bytes including paramSize and tag 


3 


4 






TCPA_RESULT 


returnCode 


The return code of the operation. See section 4.3. 



Description 

TPM_Startup MUST be generated by a trusted entity (the RTM or the TPM, for example). 
Actions 

1. If no EK is present, the TPM MUST return TCPA_NO_ ENDORSEMENT and exit this capability. 

2. If TCPA_VOLATILE_FLAGS -> postlnitialise is FALSE, the TPM MUST return 
TCPA_INVALID_POSTINIT, and exit this capability. 

3. If stType = TCPA_ST_CLEAR 

a. Reset PCR's 
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b. Reset the auditDigest 

c. The TPM Must set the following flags to their default state: 

L TCPA_VOLATILE_FLAGS -> PhysicalPresence 

ii. T C P A_ VO L AT I L E_ F LAG S -> PhysicalPresenceLock 

iii. TCPA_VOLATILE_FLAGS -> disableForceClear 

d. The TPM SHALL set TCPA_VOLATILE_FLAGS -> deactivated to the same state as 
TCPA_£>ERSISTENT_FLAGS -> deactivated 

e. The TPM SHALL take all necessary actions to ensure that all loaded keys contain the 
preserved value if the preserved value is valid and the preserved value's parentPCRStatus 
indicator is FALSE and its IsVolatile indicator is FALSE. All other key areas MUST be 
unloaded. If the TPM is unable to successfully complete these actions, it SHALL enter the 
TPM failure mode. 

4. If stType = TCPA_ST_ STATE 

a. The TPM SHALL take all necessary actions to ensure that all PCRs contain valid preserved 
values. If the TPM is unable to successfully complete these actions, it SHALL enter the TPM 
failure mode. 

b. The TPM SHALL lake all necessary actions to ensure that the auditDigest contains a valid 
preserved value. If the TPM is unable to successfully complete these actions, it SHALL enter 
the TPM failure mode. 

c. The TPM MUST restore the following flags to their preserved states: 

i. TCPA_VOLATILE_ FLAGS -> PhysicalPresence 

ii. TCPA_ VOL ATILE_ FLAGS -> PhysicalPresenceLock 

iii. TCPA_VOLATILE_FLAGS -> deactivated 

iv. TCPA_VOLATILE_FLAGS -> disableForceClear 

d. The TPM MUST restore all keys that have been saved 

e. The TPM resumes normal operation. If the TPM is unable to resume normal operation it 
SHALL enter the TPM failure mode. 

5. If stType = TCPA_ST_ DEACTIVATED 

a. The TPM MUST set TCPA_VOLATILE_ FLAGS -> deactivated to TRUE 

6. The TPM MUST invalidate any explicitly preserved state, and set TCPA_VOLATILE_FLAGS -> 
postlnitialise to FALSE. 



Version 1.1a 1 December 2001 



TCPA Main Specification 



Page 21 9 



8.10.5 TPM_OwnerClear 




Type 

TCPA protected capability; user must provide authorization as the TPM Owner. 
Incoming Operands and Size6 



PARAM 


HMAC 


Type 


Name 


Description 


tt 


SZ 




SZ 




1 


2 






TCPA.TAG 


tag 


TPM_TAG_RQU_AUTH1_COMMAND 


2 


4 






UINT32 


paramSize 


Total number of input bytes including paramSize and tag 


3 


4 


1s 


4 


TCPA_ COMMAND, CODE 


ordinal 


Command ordinal: TPM_ORD_OwnerClear 


4 


4 






TCPA_ AUTHHANDLE 


aulhHandle 


The authorization handle used for owner authorization. 








20 


TCPA_NONCE 


authLastNonceEven 


Even nonce previously generated by TPM to cover 
inputs 


5 


20 


3 hi 


20 


TCPA^NONCE 


nonceOdd 


Nonce generated by system associated with authHandle 


6 


1 


4 H1 


1 


BOOL 


conlinueAuthSession 


Ignored 


7 


20 






TCPA.AUTHDATA 


ownerAuth 


The authorization digest for inputs and owner 
authorization. HMAC key: ownerAuth. 


Outgoing ( 


Operands and Sizes 


PARAM 


HMAC 


Type 


Name 


Description 


# 


SZ 


# 


SZ 


1 


2 






TCPA_TAG 


lag 


TPM_TAG_RSP_AUTH1 .COMMAND 


2 


4 






UINT32 


paramSize 


Total number of outpul bytes including paramSize and tag 


3 


4 


1s 


4 


TCPA_RESULT 


returnCode 


The return code of the operation. See section 4.3. 






2s 


4 


TCPA_COMMAND_CODE 


ordinal 


Command ordinal: TPM_ORD_OwnerClear 


A 


20 


2 m 


20 


TCPA. NONCE 


nonceEven 


Even nonce newly generated by TPM to cover outputs 






3 hi 


20 


TCPA_NONCE 


nonceOdd 


Nonce generated by system associated with authHandle 


5 


1 


4 HI 


1 


BOOL 


conlinueAuthSession 


Fixed value FALSE 


6 


20 






TCPA.AUTHDATA 


resAuth 


The authorization digest for the returned parameters. 
HMAC key: old ownerAuth. 



Actions 

1. The TPM verifies lhat the authHandle properly authorizes the owner. 

2. After owner verification the TPM then checks the status of the TCPA_PERSISTENT_ FLAGS -> 
DisableOwnerClear flag, if set the TPM returns TCPA. CLEAR^ DISABLED. 
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The TPM executes the TPM_ Reset command. The TPM then destroys the SRK and any internal data 
associated with the SRK. The TPM then destroys the TPM Ownership data. 

The TPM unloads all loaded keys. > 

The TPM sets all DIR registers to their default value. . : - 

THe TPM sets TCPAIPERSISTENT_FLAGS to their default values. 

The result will be no Owner or SRK and the TPM is set to the state where it returns TCPA_NOSRK. 
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8.10.6 TPM_DisableOwnerClear 




Type 

TCPA protected capability; user must provide authorization as the TPM Owner. 
Incoming Operands and Sizes 



PARAM 


HMAC 


Type 




Name 


Description 


# 


SZ 


# 






1 


2 






TCPA_TAG 


tag 


TPM_TAG_RQU_AUTH1 .COMMAND 


2 


4 






UINT32 


paramSize 


Total number of input bytes including paramSize and tag 


3 


4 


Is 


4 


TCPA_COMMAND_CODE 


ordinal 


Command ordinal: TPM_ORD_Disab!eOwnerClear 


4 


4 






TCPA_ AUTHHANDLE 


aulh Handle 


The authorization handle used for owner authorization. 






2hi 


20 


TCPA_ NONCE 


authLastNonceEven 


Even nonce previously generated by TPM lo cover 
inputs 


5 


20 


3 m 


20 


TCPA.NONCE 


nonceOdd 


Nonce generated by system associated with authHandle 


6 


1 


4hi 


1 


BOOL 


conlinueAulhSession 


The continue use flag for the authorization handle 


. 7 


20 






TCPA AUTHDATA 


ownerAuth 


The authorization digest for inputs and owner 
authorization. HMAC key: ownerAuth. 


Outgoing Operands and Sizes 


PARAM 


HMAC 


Type 


Name 


Description 


# 


SZ 


if 


SZ 


1 


2 






TCPA.TAG 


tag 


TPM_TAG.RSP_AUTH1_COMMAND 


2 


4 






UINT32 


paramSize 


Total number of output bytes including paramSize and tag 


3 


4 


1s 


4 


TCPA_ RESULT 


relurnCode 


The return code of the operation. See section 4.3. 






2s 


4 


TCPA_COMMAND_CODE 


ordinal 


Command ordinal: TPM_ORO_DisableOwnerClear 


A 


20 


2 HI 


20 


TCPA^ NONCE 


nonceEven 


Even nonce newly generated by TPM to cover outputs 






3hi 


20 


TCPA_ NONCE 


nonceOdd 


Nonce generated by system associated with authHandle 


5 


1 


4 hi 


1 


BOOL 


continueAulnSession 


Continue use flag, TRUE if handle is still active 


6 


20 






TCPA, AUTHDATA 


resAutri 


The authorization digest for the returned parameters. 
HMAC key: ownerAuth. 



Actions 

1 . The TPM verifies that the authHandle properly authorizes the owner. 

2. The TPM sets the TCPA_ PERSISTENT. FLAGS -> disableownerclear flag to TRUE. 

3. The only mechanism that can clear the TPM is the TPM_ ForceClear command. The TPiVL ForceClear 
command requires physical access lo the TPM to execute. 
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8.10.7 TPM_ForceClear 




Type 

TCPA protected capability; there must be some evidence of physical access to the platform present for 
the TPM to verify. 

Incoming Operands and Sizes 



PARAM 


HMAC 


Type 


Name 


Description 


# 


SZ 


# 


SZ 


1 


2 






TCPA.TAG 


tag 


TPM_TAG_RQU_COMMAND 


2 


4 






UINT32 


paramSize 


Tola! number of input bytes including paramSize and tag 


3 


4 






TCPA.COMMANDCODE 


ordinal 


Command ordinal, fixed value ot TPM_ORD_ForceClear 


Outgoing Operands and Sizes 


PARAM 


HMAC 


Type 


Name 


Description 


# 


SZ 


ft 


SZ 


1 


2 






TCPA_TAG 


lag 


TPM_TAG_RSP_COMMAND 


2 


4 






UINT32 


paramSize 


Total number ot output bytes including paramSize and tag 


3 


4 






TCPA.RESULT . 


relurnCode 


The return code ot the operation. See section 4.3. 



Actions 

1. The TPM checks for a prior execution of the TPM_DisableForceClear command. If executed, the 
TPM will return TCPA_CLEAR_ DISABLED. 

2. After verification of physical access, the TPM performs a clear operation that has the same result as 
the TPM_OwnerClear. After execution the result of this command is exactly like the 
TPM_OwnerClear. 

3. The implementation of the physical access requirement is a manufacturer option. The evidence of 
physical access could be done by setting a pin high on a chip, or by sending special bus cycles or by 
any other mechanism that provides evidence of physical access. 
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8.10.8 TPM_DisableForceClear 




. Type; . 
TCPA protected capability, 
incoming Operands and Sizes 



PARAM 


HMAC 


Type 


Name 


Description 




sz 




SZ 




r 


2 






TCPA_TAG 


lag 


TPM_TAG_ R0U_C0MMAND 


2 


4 






U1NT32 


paramSize 


Total number of input bytes including paramSize and tag 


3 


4 






TCPA_C0MMAND_ CODE 


ordinal 


Command ordinal, fixed value of TPM_ORD_Disab!eForceClear 


Outgoing Operands and Sizes . 


PARAM 


HMAC 


Type 


Name 


Description 


# 


SZ 




SZ 


1 


2 






TCPA.TAG 


lag 


TPM_TAG_RSP_COMMAND 


2 


4 






UINT32 


paramSize 


Total number of output bytes including paramSize arid tag 


3 


4 






TCPA.RESUL7 


returnCode 


The return code of the operation. See seclion 4.3. 



Actions 

The TPM sets the TCPA_VOLATILE_FLAGS.disabletorceclear flag in the TPM that disables the 
execution of the TPM_ForceClear command. 
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8.11 The GetCapability Commands 




The TPM MUST NOT return in response to the GetCapability command any information that identifies an 
individual TPM. 
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8.11.1 TPM__GetCapability 
Type 

TCPA protected capability 



Incoming Operands and Sizes 



PARAM 


HMAC 


Type 


Name 


Description 


a 


SZ 


if 


SZ 




1 


2 






TCPA_TAG 


lag 


T PM_TAG_RQU_COMMAND 


2 


4 






UTNT32 


paramSize 


Total number of input bytes including paramSize and tag 


3 


4 






TCPA_COMMAND_CODE 


ordinal 


Command ordinal: TPM_ORD_GetCapability 


4 


4 






TCPA_CAPABILITY_AREA 


capArea 


Partition ot capabilities !o be interrogated 


5 


4 






UINT32 


subCapSize 


Size of subCap parameter 


6 


<> 






BYTED 


subCap 


Further definition of information 


Outgoing Operand? and Sizes 


PARAM 


HMAC 


Type 


Name^ 


Description 


if 


SZ 


# 


SZ 


1 


2 






TCPA.TAG 


tag 


TPM_TAG_RSP_COMMAND 


2 


4 






UINT32 


paramSize 


Total number ot output bytes including paramSize and tag 


3 


4 






TCPA_RESULT 


relurnCode 


The return code ot the operation. See section 4.3. 


4 


4 






UINT32 


fespSize 


The length of the returned capability response 


5 


<> 






BYTE!) 


resp 


The capability response 



Actions 

The TPM validates the capArea and subCap indicators. If the information is available, the TPM creates 
the response field and fills in the actual information. 



CapArea 


subCap 


Response 


TCPA_CAP_ORD 


ORDINAL: 

A value of command 
ordinal : 
see 4 .32 


Boolean value. TRUE indicates that 
the TPM supports the ordinal. 
FALSE indicates that the TPM does 
not support the ordinal. 


TCPA_CAP_ALG 


TCPA_ALG_XX : 

A value of 

TC PA_ ALGOR I THM_ I D : 

see 4.15 


Boolean value. TRUE indicates that 
the TPM supports the algorithm, 
FALSE indicates that the TPM does 
not support the algorithm. 


TCPA_CAP_PID 


TCPA_PID: 
A vaiue of 
TCPA_ PROTOCOL^ I D : 
See 4.15 


Boolean value. TRUE indicates that 
the TPM supports the protocol, 
FALSE indicates that the TPM does 
not support the protocol. 


TCPA_ CAP_ PROPERTY 


TPM_ CAP_ PROP_ PCR 


UINT32 value. Returns the number 

~ l n< " n t... 
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of PCR registers supported by the 
TPM 


TCPA_CAP_PROPERTY 


TPM_CAP_PROP_DIR 


UINT32 value. Returns the number 
of DIR registers supported by the 
TPM. 


TCPA_CAP_PROPERTY 


TCPA_CAP_PROP_MANUFACTURE 
R 


UINT32 value. Returns the Identifier 
of the TPM manufacturer. 


TCPA_CAP_ PROPERTY 


TCPA_CAP_PROP_SLOTS 


UINT32 value. Returns the 
maximum number of 2048 bit RSA 
keys that the TPM is capable of 
loading. This MAY vary with time 
and circumstances. 


TCPA_CAP_ VERSION 


Ignored 


Returns the TCPA_VERS!ON 
structure that identifies the version 
of the TPM. See 4.5 


TCPA_CAP_KEY_ HANDLE 


Ignored 


A TCPA_KEY_HANDLE_LIST 
structure, describing the handles of 
all keys that are currently loaded 
into the TPM. See 4.9 


TCPA CAP CHECK LOAD 
ED 


ALGORITHMS 
A value of 

TCPA_KEY_PARMS : see 4 . 15 


A Boolean value. TRUE indicates 
that the TPM has enough memory 
available to load a key of the type 
specified by ALGORITHM. FALSE 
indicates that the TPM does not 
have enough memory. 



The permitted values of TCPA_CAP_PROP_MANUFACTURER and their meaning SHALL be defined in 
platform specific TCPA specifications. 

IDL Definitions of subCap 

0x00000101 
0x00000102 
0x00000103 
0x00000104 



tidef ine TCPA_CAP_PROP_PCR 
Adeline TCPA_CAP_PROP_DIR 
ffdefine TCPA_CAP_PROP_MANUFACTURER 
^define TCPA CAP PROP SLOTS 
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8.11.2 TPM_GetCapabiIitySigned 




Type 

TCPA protected capability; the user must supply authorization to use of parameter keyHandle 
Incoming Operands and Sizes 



PARAM 


HMAC 


Type 


I Name 


Description 


if 


SZ 


\ # 


SZ 




1 


2 






TCPA.TAG 


lag 


TPM.TAG.ROU.AUTHLCOMMAND 


2 


4 






U1NT32 


paramSi2e ^ 


Total number ol input bytes including paramSi2e and lag 


3 


4 


1s 


4 


TCPA_COMMAND_CODE 


ordinal 


Command ordinal: TPM_ORD.GetCapabililySigned 


4 


4 






TCPA_KEY_HANDLE 


keyHandle 


The handle ot a loaded key that can perform digital 
signatures. 


5 


20 


2s 


20 


TCPA.NONCE 


anliReplay 


Nonce provided to allow caller to defend against replay of 
messages 


6 . 


4 


3s 


4 


7CPA.CAPABILITY.AREA 


capArea 


Partition ot capabilities to be interrogated 


7 


4 


4s 


4 


UINT32 


subCapSize 


Size ol subCap parameter 


8 


<> 


5s 


<> 


BYTEfl 


subCap 


Further definition ol information 


8 


4 






TCPA_AUTHHANDLE 


authHandle 


The authorization handle used for keyHandle 
authorization 






2 HI 


20 


TCPA_ NONCE 


authLaslNonceEven 


Even nonce previously generated by TPM to cover inputs 


9 


20 


3hi 


20 


TCPA,NONCE 


nonceOdd 


Nonce generated by system associated with authHandle 


10 


1 


4 hi 


1 


BOOL 


coniinueAuthSession 


The continue use flag tor the authorization handle 


11 


20 






TCPA.AUTHDATA 


privAulh 


The authorization digest that authorizes the use of 
keyHandle. HMAC key: key.usageAuth 


Outgoing C 


)perands and Sizes 


PARAM 


HMAC 


Type 


Name 


Description 


# 


SZ 


# 


SZ 


1 


2 






TCPA.TAG 


lag 


TPM_TAG_ RSP_AUTH1_ COMMAND 


2 


4 






UINT32 


paramSi2e 


Total number of output bytes including paramSize and tag 


3 


4 


1s 


4 


TCPA_ RESULT 


reiurnCode 


The return code of the operation. See section 4.3. 
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2s 


4 


7CPA_C0MMAND_C0DE 


ordinal 


Command ordinal: TPM_ORD_GetCap3bilitySigned 


4 


4 


3s 


4 


TCPA_VERSION 


version 


A property filled out version struclure. 


5 


4 


4s 


4 


UINT32 


respSize 


The length of the returned capability response 


6 


<> 


5s 


<> 


BYTE[] 


resp 


The capability response 


7 


4 


6s 


4 


UINT32 


sigSize 


The length of the returned digital signature 


8 


<> 


7s 


<> 


BYTE[] 


sig 


The resulting digital signature. 


9 


20 


2 HI 


20 


TCPA.NONCE 


nonceEven 


Even nonce newly generated by TPM to cover outputs 






3hi 


20 


TCPA_NONCE 


nonceOdd 


Nonce generated by system associated with authHandle 


10 


1 


4hi 


1 


BOOL 


continueAuIh Session 


Continue use flag, TRUE K handle is still active 


11 


20 






TCPA.AUTHDATA 


resAuth 


The authorization digest tor the returned parameters. 
HMAC key: key.usageAuth 



Description 

The key in keyHandle MUST have a KEYUSAGE value of type TPM_KEY_SIGNING or 
TPM„KEY_ LEGACY or TPM_KEY_IDENTITY. 

Actions ^ 

1. The TPM calls TPM_GetCapability passing the capArea and subCap fields and saving the resp field 
asr1. 

2. The TPM creates hi by taking a SHA1 hash of the concatenation (r1 || antiReplay). 

3. The TPM validates the authority to use keyHandle 

4. The TPM creates a digital signature of hi using the key in keyHandle and returns the result in sig. 
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8.1 1 .3 TPM_GetCapabilityOwner 




Type 

TCPA protected capability; user must provide authentication from the TPM Owner. 
Incoming Operands and Sizes 



PARAM 


HMAC 


Type 




Name 


Description 


ft 


SZ 




SZ 






1 


2 






TCPA.TAG 


tag 


TPM_TAG_RQU AUTH1 COMMAND 


2 


4 


1s 


4 


TCPA_C0MMAND_CODE 


ordinal 


Command ordinal: TPM_ORD_GetCapbilityOwner 


3 


4 






TCPA_AUTHHANDLE 


authHandle 


The authorization handle used for Owner aulhorizalion. 






2 HI 


20 


TCPA.NONCE 


aulhLaslNonceEven 


Even nonce previously generated by TPM lo cover 
inputs 


4 


20 


3 HI 


20 


TCPA_NONCE 


nonceOdd 


Nonce generated by system associated with authHandle 


5 


1 




1 


BOOL 


conlinueAulhSession 


The continue use flag for the authorization handle 


6 


20 






TCPA_AUTHDATA 


ownerAuth 


The authorization digest for inputs' and owner 
authorization. Hf^AC key: OwnerAuth. 


Outgoing Operands and Sizes 


PARAM 


HMAC 


Type 




Description 


# 


SZ 


# 


SZ 






1 


2 






TCPA.TAG 


tag 


TPM_TAG_RSP_AUTH1_C0MMAND 


2 


4 


1s 


4 


TCPA_ RESULT 


returnCode 


The return code ol the operation. See section 4.3. 


3 


4 


2s 


4 


TCPA_ VERSION 


version 


A properly filled out version structure. 


4 


4 


3s 


4 


UINT32 


non_volatile_flags 


The current state of the non-volatile flags. 


5 


4 


4s 


4 


UINT32 


volatile_flags 


The current state of the volatile flags. 


6 


20 


2 m 


20 


TCPA_ NONCE 


nonceEven 


Even nonce newly generated by TPM lo cover outputs 






3 HI 


20 


TCPA. NONCE 


nonceOdd 


Nonce genetaled by system associated with authHandle 


7 


1 


4 HI 


1 


BOOL 


conlinueAuthSession 


Continue use flag. TRUE if handle is still active 


8 


20 






TCPA.AUTHDATA 


resAuth 


The authorization digest for the returned parameiers 
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HMAC key: OwnerAuth. 



Description 
For31>=N>=0 

• Bit-N of the TCPA_PERSISTENT_FLAGS structure is the Nth bit after the opening bracket in the 
definition of TCPA_PERSISTENT_FLAGS in the version of the specification indicated by the 
parameter "version". The bit immediately after the opening bracket is the 0 th bit. 

• Bit-N of the TCPA_VOLATILE_FLAGS structure is the Nth bit after the opening bracket in the 
definition of TCPA_VOLATILE_FLAGS in the version of the specification indicated by the 
parameter "version". The bit immediately after the opening bracket is the 0 ,h bit. 

• Bit-N of non_volatiie_f1ags corresponds to the Nth bit in TCPA_PERSISTENT__FLAGS. 

• Bit-N of volatilejlags corresponds to the Nth bit in TCPA_VOLATILE_ FLAGS. 
Actions 

1. The TPM validates that the TPM Owner authorizes the command. 

2. The TPM creates the parameter non_volatile_flags by setting each bit to the same state as the 
corresponding bit in TCPA_PERSISTENT_ FLAGS. Bits in non_volatile_flags for which there is no 
corresponding bit in TCPA_ PERSISTENT^ LAGS are set to zero. 

3. The TPM creates the parameter volatile_flags by setting each bit to the same state as the 
corresponding bit in TCPA_VOLATILE_ FLAGS. Bits in volati!e_flags for which there is no 
corresponding bit in TCPA_ VOLATILE^ FLAGS are set to zero. 

4. The TPM generates the parameter "version". 

5. The TPM returns non_volatile_flags, volatile_flags and version to the caller. 
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8.12 Audit Commands 




Each command ordinal has an indicator in non-volatile TPM memory indicating if executing the command 
will result in the generation of an audit event. 



The audit event includes the command ordinal and the return code from the command. 

The digest value SHALL be SHA1 (previous value || command ordinal II return code) The diqest value 
register SHALL have a starting value of NULLS. 

Updating of auditDigest MAY cease when TCPA_ VOLATILE. FLAGS -> deactivated is TRUE. This is 
because a deactivated TPM performs no useful service until a platform is rebooted at which point 
auditDigest is reset. 
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8.12.1 TPIVLGetAuditEvent 



L • - 1 : 



m 

Type 

TCPA protected capability 
Incoming Operands and Sizes 



.-: • 



PARAM 


HMAC 


Type 


Name 


Description 


# 


sz 


# 


SZ 


1 


2 






TCPA_TAG 


tag 


TPM_TAG_RQU_COMMAND 


2 


4 






UINT32 


paramSize 


Total number of input bytes including paramSize and tag 


3 


4 






TC PA.COM MAND_CODE 


ordinal 


Command ordinal: TPM_ORD_GetAuditEvent 


Outgoing Operands and Sizes 


PARAM 


HMAC 


Type 


Name 


Description ^ \ 


tt 


SZ 


tt 


SZ 


1 


2 






TCPA_TAG 


tag 


TPM_TAG_.RSP_ COMMAND 


2 


4 






UINT32 


paramSize 


Total number of output bytes including paramSize and tag 


3 


4 






TCPA_RESULT 


returnCode 


The return code of the operation. See section 4.3. 


4 


4 






TCPA_COMMAND_CODE 


cmdOrd 


Last audited command executed 


5 


4 






UINT32 


cmdReturnCode 


Return code for cmdOrd 


6 


20 






TCPA.DIGEST 


auditDigest 


Log of all audited events 



Actions 

1. The TPM sets cmdOrd to the ordinal of the last audited function. 

2. The TPM sets cmdReturnCode to the return code for the last audited function. 

3. The TPM sets auditDigest to the extended digest value of all audited functions. 
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8.12.2 TPM_GetAuditEventSigned 




Type 

TCPA protected capability; user must provide authentication to use the key pointed to by keyHandle. 
Incoming Operands and Sizes 



PARAM 


HMAC 


Type 


Name 


Description 


# 


sz 




SZ 




1 


2 






TCPA.TAG 


lag 


TPM,TAG.RQU^AUTH1_COMMAND 


2 


4 






UINT32 


paramSize 


Total number of input byles including paramSize and lag 


3 


4 


1s 


4 


TCPA_COMMAND_CODE 


ordinal 


Command ordinal: TPM_ORD_GetAuditEventSigned 


4 


4 






7CPA_KEY_HANDLE 


keyHandle 


The handle of a loaded key lhal can perform digital 
signatures. 


5 


20 


2s 


20 


TCPA.NONCE 


antiReplay 


A nonce lo prevenl anliReplay attacks 


6 


4 






TCPA.AUTHHANDLE 


aulhHandle 


The authorization handle used for key authorization. 






2 HI 


20 


TCPA_ NONCE 


aulhLaslNonceEven 


Even nonce previously generated by TPM to cover inputs 


7 


20 


3 HI 


20 


TCPA.NONCE 


nonceOdd 


Nonce generated by syslem associated with aulhHandle 


8 


1 


4 H1 


1 


BOOL 


continueAulhSession 


The continue use flag for {reauthorization handle 


9 


20 






TCPA.AUTHDATA 


keyAulh 


The authorization digest for inputs and owner 
authorization. HMAC key: key.usageAuth. 


Outgoing Operands and Sizes 


PAPAM 


HMAC 


Type 


Name 


Description 


# 


SZ 


# 


SZ 




1 


2 






TCPA_TAG 


tag 


TPM_TAG_RSP_AUTH1_COMMAND 


2 


4 






UINT32 


paiamSize 


Total number of oulpul bytes including paramSize and tag 


3 


4 


1s 


4 


TCPA_ RESULT 


feiurnCode 


The return code of the operation. See section 4.3. 






2s 


4 


TCPA_COMMAND_CODE 


ordinal 


Command ordinal: TPM_ORD_GetAudilEventSigned 


4 


4 


3s 


4 


7CPA_COMMAND_CODE 


cmdOrd 


Last audited command executed 


5 


4 


4s 


4 


UINT32 


cmdReturnCode 


Return code for cmdOrd 


6 


20 


5s 


20 


TCPA_ DIGEST 


audit Digesl 


Log of all audited events 


7 


4 


6s 


4 


UINT32 


ordSize 


The size of the ordinal lisl 


8 


<> 


7s 


<> 


BYTEQ 


ordinalLisi 


The list of ordinals thai are being audited 


9 


4 


6s 


4 


UINT32 


sigSize 


The size of Ihe sig parameter 


10 


<> 


9s 


<> 


BYTEO 


sig 


The signature of the area 


11 


20 


2 HI 


20 


TCPA.NONCE 


nonceEven 


Even nonce newly generated by TPM to cover outputs 
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3hi 


20 


TCPA.NONCE 


nonceOdd 


Nonce generaled by system associated with authHapdle 


12 


/ 


4hi 


1 


BOOL 


continueAuthSess 
ion 


Continue use flag, TRUE if handle is still active 


13 


20 






TCPA_AUTHDATA 


resAuth 


The authorization digest for the returned parameters. 
HMAC key: key.usageAuth. 



Actions 

1. The TPM sets cmdOrd to the ordinal of the last audited function. 

2. The TPM sets cmdReturnCode to the return code for the last audited function. 

3. The TPM sets auditDigest to the extended digest value of aii audited functions. 

4. The.TPM sets ordinalList to a list of all audited functions. This list is a UINT32 of command ordinals. 

5. Create a d1 by taking the SHA1 of (ordinal || cmdOrd || cmdReturnCode || auditDigest || ordinalList || 
antiReplay) 

6. Create a digital signature of d1 by using the signature scheme for keyHandle. 

7. Return the signature in the sig parameter 
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8.12.3 TPWLSetOrdinalAuditStatus 




Type 

TCPA protected capability; the user must show authorization from the^TPM Owner to execute the 
command. 

Incoming Operands and Sizes 



PARAM 


HMAC 


Type 


Name 


Description 


# 


SZ 


# 


SZ 




1 


2 






TCPA.TAG 


tag 


TPM_TAG_RQU_AUTH1_COMMAND 


2 


4 






UINT32 


paramSize 


Total number of input bytes including paramSize and tag 


3 


4 


1s 


4 


TCPA.COMMAND.CODE 


ordinal 


Command ordinal: TPM.ORD.SetOrdinalAuditSiatus 


4 


4 


2s 


4 


TCPA_COMMAND_CODE 


ordinalToAudil 


The ordinal whose audit flag is to be set - 


5 


1 


3s 


1 


BOOL 


auditState 


Value for audit flag 


6 


4 






TCPA.AUTHHANDLE 


aulhHandle 


The authorization handle used for owner authorization. 






2 HI 


20 


T CPA. NONCE 


authLasiNonceEven 


Even nonce previously generated by TPM to cover inputs 


7 


20 


3hi 


20 


TCPA_NONCE 


nonceOdd 


Nonce generated by system associated with aulhHandle 


8 


1 


4 hi 


1 


BOOL 


continueAuth Session 


The continue use flag for the authorization handle 


9 


20 






TCPA.AUTHDATA 


ownerAuth 


The authorization digest for inputs and owner 
authorization. HMAC key: ownerAuth. 


Outgoing Operands and Sizes 


PARAM 


HMAC 


Type 


Name 


Description 


# 


SZ 




SZ 


1 


2 






TCPA.TAG 


tag 


TPM_TAG_RSP_AUTH1_COMMAND 


2 


4 






UINT32 


paramSi2e 


Total number of output bytes including paramSize and tag 


3 


4 


1s 


4 


TCPA_ RESULT 


returnCode 


The return code of the operation. See section 4.3. 






2s 


4 


TCPA_COMMAND_CODE 


ordinal 


Command ordinal: TPM_ORD_SetOrdinalAuditStatus 


4 


20 


2 HI 


20 


TCPA. NONCE 


nonceEven 


Even nonce newly generated by TPM to cova outputs 






3hi 


20 


TCPA_ NONCE 


nonceOdd 


Nonce generated by system associated with authHandle 


5 


1 


4 hi 


1 


BOOL 


continueAulhSession 


Continue use flag, TRUE if handle is still active 


6 


20 






TCPA.AUTHDATA 


resAulh 


The authorization digest for the relumed parameters. 
HMAC key: ownerAuth. 



Descriptions 



Actions 

1. The TPM authenticates the command using the TPM Owner authentication. If authentication 
unsuccessful the TPM returns TCPA FAIL. 
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2. The TPM sets the state of the non-volatile flag for the given ordinal to the indicated state. The TPM 
also returns the state in the response. 
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8.12.4 TPWLGetOrdinalAuditStatus 




Type 

TCPA protected capability. 
Incoming Operands and Sizes 



PARAM 


HMAC 


Type 


Name 


Description 


if 


SZ 


# 


SZ 


1 


2 






TCPA_TAG 


tag 


TPM_TAG_RQU_COMMAND 


2 


4 






UINT32 


paramSize 


Total number of input bytes including paramSize and tag 


3 


4 






TCPA.COMMAND.CODE 


ordinal 


Command ordinal: TPM_ORD_GetOrdinaIAuditSlatus 


4 


4 






T CPA, COMMAN DECODE 


ordinalToOuery 


• The ordinal whose audit flag is to be queried 


Outgoing Operands and Sizes 


PARAM 


HMAC 


Type 


Name 


Description 


# 


SZ 


if 


SZ 


1 


2 






TCPA_TAG 


tag 


TPMJTAG_RSP_ COMMAND 


2 


4 






UINT32 


paramSize 


Total number of output bytes including paramSize and tag 


3 


4 






TCPA. RESULT 


relurnCode 


The return code of the operation. See section 4.3. 


4 


1 






BOOL 


Stale 


Value of audit flag for ordinalToOuery 



Actions 

The TPM returns the Boolean value for the given ordinal. The value is TRUE if the command is being 
audited. 
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8.12.5 Effect of audit failing after successful completion of a command 




When after successful completion of an operation, and In performing the audit process, the TPM has an 
internal failure (unable to write, SHA failure etc.) the TPM MUST set the internal TPM state such that the 
TPM returns the TPM_FAILEDSELFTEST error. The TPM MUST return TCPA_AUDITFAIL URE for the 
current command. 



If the TPM is permanently nonrecoverable after an audit failure, then the TPM MUST always return 
TPM_FAILEDSELFTEST for every command other than TPM_GetTestResult. This state must persist 
regardless of power cycling, the execution of TPMJnit or any other actions. 

If the TPM can recover in any way after the failure of an audit operation, then the TPM MUST take the 
actions stated in the following table after setting the failure state. 



Ordinal 


Effect when Audit Fails 


TPM ORD OIAP 


No action - session deleted on TPM INI^T 


TPM ORD OSAP 


No action - session deleted on TPM INIT * 


TPM_ORD_ChangeAuth 


No action - changed blob not returned so 
nothing to delete 


TPM_ORD_TakeOwnership 


TPM returns to state where there is no 
TPM Owner . 


TPM ORD ChangeAu t hAsymS tart 


No action - session deleted on TPM INIT 


TPM ORD ChangeAuthAsymFinish 


No action - session deleted on TPM INIT 


TPM_ORD_ChangeAuthOwner 


The TPM MUST revert back to the previous 
authorization value 






TPM_ORD__Ext end 


Invalidate PCR by extending 20 bytes of 
0xa5 to the PCR 


TPM ORD PcrRead 


No action 


TPM ORD Quote 


No a c t i on 


TPM ORD Seal 


No action 


TPM_ ORD_Un seal 


Ensure that unsealed data is made 
unavailable 


TPM_ORD_Di r Wr i t eAu t h 


Invalidate the DIR by writing 20 bytes 
of 0xa5 into the specified DIR 


TPM ORD DirRead 


No action 






TPM_ORD_UnBind 


Ensure that unbound data is made 
unavailabl e 


TPM_ORD_CreateWrapKey 


No action - key not returned in blob so 
TPM can just lose the new key 


TPM ORD LoadKey 


Ensure that the key is not available 


TPM ORDGetPubKey 


No action - nothing returned 


TPM_ORD_Ev i c t Key 


No action - key is evicted so no 
security issues 






TPMORDCreateMigrationBlob 


No action - no blob returned 
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TPM ORD ReWrapKey 


No action - no blob returned 


TPM ORD ConvertMigrationBlob 


No action - no blob returned 


TPM ORDAuthorizeMigrat ionKey 


No action - no blob returned 


TPM ORD CreateMaintenanceArchive 


No action - no blob returned 


TPM_ORD__LoadMa in tenanceAr chive 


Set the TPM internal state such that the 
TPM returns TPM_NOSRK. This requires the 
caller to resubmit the maintenance 
archive for it to be active. 


TPM ORD KillMaintenanceFeature 


No action 


TPM_ORD_LoadManuMalnt Pub 


The TPM returns to a state where no 
maintenance public key has been loaded 


TPM ORD ReadManuMaintPub 


No action - no blob returned 






TPM ORD CertifyKey 


No action - no blob returned 






TPM ORD Sign 


No action - no blob returned 






TPM ORD GetRandom 


No action - nothing returned 


TPM ORD StirRandom 


No action - RNG still secure 






TPM ORD SelfTestFull 


No action 


TPM ORD Self TestStartup 


No action 


TPM ORD CertifySelf Test 


No action 


TPM ORD ContinueSelf Test 


No action 


TPM ORD GetTestResult 


No action 






TPM ORD Reset 


No action 


TPM ORD OwnerClear 


No action 


TPM ORD DisableOwnerCl ear 


No action 


TPM ORD ForceClear 


No action 


TPM ORD DisableForceCiear 


No action 






TPM_ORD_GetCapabi 1 i tySigned 


No action 


TPM ORD Ge t Capability 


No action 


TPM ORD GetCapabilityOwner 


No action 






TPM ORD OwnerSet Disable 


No action 


TPM ORD PhysicalEnable 


No action 


TPM ORD PhysicalDisable 


No action 


TPM ORD SetOwnerlnstall 


No action 


TPM_ORD_ Physical Set Deactivated 


No action 


TPM ORD SetTempDeactivated 


No action 






TPM_ORD_Creat eEndor semen tKeyPair 


This is a dead TPM. It has failed it's 
startup smoke test. It should not leave 
the factory floor. 


TPM_ ORD_M a keldentity 


No action - blob not returned so key is 
lost 


TPM_ORD_Activate Identity 


No action - credential not returned but 
blob is still available for the caller 
to resubmit to the TPM when it is 
functional 


TPM ORD ReadPubek 


No action 


TPM ORD OwnerReadPubek 


No action 


TPM ORD Di sable PubekRead 


No action 
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TPM ORD GetAudit Event 


No action 


TPM ORD GetAudit Event signed 


No action 






TPM ORD GetOrdinalAudi t b t atus 


No action 


TPM ORD SetOrdinalAudi t St atus 


No action 






TPM ORD Terminate Handl e 


No action 


TPM ORD Init 


No action 


TPM ORD SaveState 


No action 


TPM_ORD_S t a r t up 


No action - The TPM is disabled, all 
save states are invalidated so only non- 
volatile keys are left. 


TPM ORD SetRedirection 


No action 






TPM ORD SHAlStart 


No action 


TPM ORD SHAlUpdate 


No action 


TPM ORD SHA1 Complete 


No action 


TPM ORD SHAlCompleteExtend 


No action 






T PM_ ORD_F i e 1 dUpg r a d e 


Set TCPA_PERSISTENT_FLAGS -> 
FailedFieldUpgrade to TRUE. This flag 
sets the disabled bit to TRUE on each 
TPM_Init. The only way to set the 
FailedFieldUpgrade flag back to FALSE is 
to successfully complete a FieldUpgrade . 
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8.13 Enabling Ownership 




Version 1.1a 1 December 2001 



TCPA Main Specification 



Page 242 



8.13.1 TPM_SetOwnerlnstall 
Type 

TCPA protected capability; there must be some evidence of physical access present for the TPM to verify. 
Incoming Operands and Sizes 



PARAM 


HMAC 


Type 


Name 


Description 


# 


SZ 




SZ 




1 


2 






TCPAJTAG 


lag 


TPM_TAG_RQU_COMMAND 


2 


4 






UINT32 


paramSize 


Total number of input bytes including paramSize and tag 


3 


4 






TCPA_COMMAND_CODE 


ordinal 


Command ordinal: TPM_ORD_SetOwnerlnstatl 


4 


1 






BOOL 


state 


State to which ownership flag is to be set. 


Outgoing Operands and Sizes 






PARAM 


HMAC 


Type 


Name 


Description 


# 


SZ 


# 


SZ 




1 


2 






TCPA_TAG 


tag 


TPM_TAG_RSP_COMMAND 


2 


4 






UINT32 


paramSize 


Total number of output bytes including paramSize and tag 


3 


4 






TCPA_RESULT 


retumCode 


The return code of the operation. See section 4.3. 



Action 

1 . If the TPM has a current owner, this command immediately returns with TCPA_SUCCESS. 

2. The TPM validates the assertion of physical access. The TPM then sets the value of 
TCPA_PERSISTENT_FLAGS -> ownership to the value in state. 



Version 1.1a 1 December 2001 



TCPAMain Specification 



Page 243 



8.14 Enabling a TPM 
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8.14.1 TPM_OwnerSetDisable 

Type'- ■ . \ , 

TCPA protected capability; the TPM Owner must provide authorization. 
Incoming Operands and Sizes- - 



PARAM 


HMAC 


i/fJts 


Heme 


Description 


n 


SZ 


ft 


SZ 


1 


■r2: . 






TCPA.TAG 


tag 


TPMJAG_ROU_AUTH1_COMMAND 


2 


4 






UINT32 


paramSize 


Total number of input bytes including paramSize and tag 


3' 


4 


.1s 


.4 


TCPA_.COMMAND.CODE 


ordinal 


Command ordinal: TPM_ORD_OwnerSetDisable 


4 


1 


r 2s .. 


1 


BOOL 


disableSlate 


Value lor disable state - enable if TRUE 


.5 


4 






TCPA.AUTHHANDLE 


authHandle 


The authorization handle used for owner authorization. 








20 


TCPA.NONCE 


authLastNonceEven 


Even nonce previously generated by TPM to cover 
inputs 


6 


20 


3 m 


20 


TCPA.NONCE 


nonceOdd 


Nonce generated by system assodated with authHandle 


7 


1 


4 H1 


1 


BOOL 


continueAuthSession 


The continue use Hag for the authorization handle 


8 


20 






TCPA.AUTHDATA 


ownerAuth 


The authorization digest for inputs and owner 
authorization. HMAC key: ownerAuth. 


Outgoing Operands and Sizes 


PARAM 


HMAC 


Type 


Name 


Description 


# 


SZ 


# 


SZ 


1 


2 






TCPA_TAG 


lag 


TPM_TAG_RSP_AUTH1_COMMAND 


2 


4 






UINT32 


paramSize 


Total number of output bytes including paramSize and tag 


3 


4 


1s 


4 


TCPA.RESULT 


leturnCode 


The return code of the operation. See section 4.3. 






2s 


4 


TCPA_COMMAND_CODE 


ordinal 


Command ordinal: TPM_ORD_OwnerSet Disable 


4 


20 


2 HI 


20 


TCPA.NONCE 


nonce Even 


Even nonce newly generated by TPM to cover outputs 






3 HI 


20 


TCPA_NONCE 


nonceOdd 


Nonce generated by system associated with authHandle 


5 


1 


4 HI 


1 


BOOL 


continueAuthSession 


Continue use flag, TRUE if handle is still active 


6 


20 






TCPA_AUTHDATA 


resAuth 


The authorization digest for the returned parameters. 
HMAC key: ownerAuth. 



Action 

1. The TPM SHALL authenticate the command as coming from the TPM Owner. If unsuccessful, the 
TPM SHALL return TCPA_BAD_AUTH. 

2. The TPM SHALL set the TCPA_PERSISTENT_ FLAGS -> disable flag to the value in the disableSlate 
parameter. 
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8.14.2 TPWLPhysicalDisable 
Type 

TCPA protected capability; there must be some evidence of physical access present for the TPM to verify. 
Incoming Operands and Sizes 



PARAM 


HMAC 


Type 


Name 


Description 


# 


SZ 


# 


SZ 


1 


2 






TCPA_TAG 


lag 


TPM_TAG_RQU_COMMAND 


2 


4 






UINT32 


paramSize 


Total number of input byles including paramSize and lag 


3 


4 






TCPA.COMMAND.CODE 


ordinal 


Command ordinal: TPM_ORD_Physica!Disabie 


Outgoing Operands and Sizes 


PARAM 


HMAC 


Type 


Name 


Description 


P 


SZ 




SZ 


1 


2 






TCPA_TAG 


lag 


TPM_TAG_ RSP_COMMAND 


2 


4 






UINT32 


paramSize 


Total number oi output bytes including paramSize and tag 


3 


4 






TCPA_RESULT 


relurnCode 


The return code of the operation. See section 4.3. 



Action 

The TPM SHALL set the TCPA_ PERSIST ENT_ FLAGS. disable value to TRUE. The TPM while executing 
this command MUST obtain assurance from a physical method that operation of this command is 
authorized. 

The TPM manufacturer MAY implement this ccfmmand not as a response to a message block but as a 
response to a physical action, for instance, the acceptance of a special bus cycle or setting a pin high. 
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8.14.3 TPNLPhysicalEnable 
Type 

TCPA protected capability; there MUST be unambiguous evidence of the presence of physical access to 
the platform for the TPM to verify. 



Incoming Operands and Sizes 



PARAM 


HMAC 


Type 


Name 


Description 


# 


SZ 




SZ 


1 


2 






TCPAJ"AG 


lag 


TPM_TAG_RQU_COMMAND 


2 


4 






UINT32 


paramSize 


Total number of input byles including paramSize and tag 


3 


4 






TCPA_COMMAND_CODE 


ordinal 


Command ordinal: TPM_ORD_PhysicaIEnablel 


Outgoing Operands and Sizes 


PARAM 


HMAC 


Type 


Name 


Description 


a 


SZ 




SZ 


1 


2 






TCPA.TAG 


lag 


TPM_TAG_RSP_COMMAND 


2 


4 






UINT32 


paramSize 


Total number of output bytes including paramSize and tag 


3 


4 






TCPA_RESULT 


relurnCode 


The return code ol the operation. See section 4.3. 



Action 

The TPM SHALL set the TCPA_PERSISTENT_ FLAGS. disable value to FALSE. 

In order lo execule this command, the TPM MUST obtain unambiguous assurance that operation of this 
command is authorized by physical presence at the platform. The command MAY be initiated by the 
presentation to a TPM of a message block with the above input parameters, provided that the message 
block occurs while the TPM is presented with unambiguous assurance that operation of this command is 
authorized by physical presence at the platform. 

Unambiguous assurance that operation of this command is authorized by a physical action at the platform 
MAY be communicated to a TPM using a special bus cycle that is impossible for software to create, or 
asserting a single electrical signal that is impossible for software to create, for example. 

It SHALL be impossible to subvert this command to a TPM by the execution of instructions in a computing 
engine on the platform. 
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8.15 Activating a TPM 
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8.15.1 TPM_PhysicalSetDeactivated 
Type 

TCPA protected capability; there must be some evidence of physical access present for the TPM to verify. 
Incoming Operands and Sizes 



PARAM 


HMAC 


Type 


Name 


Description 


# 


SZ 


if 


SZ 


1 


2 






TCPA.TAG 


tag 


TPM_TAG_RQU_COMMAND 


2 


4 






UINT32 


paramSize 


Total number of input bytes including paramSize and tag 


3 


4 






TCPA_COMMAND_CODE 


ordinal 


Command ordinal: TPM_ORD_PhysicalSelDeactivated 


4 


1 






BOOL 


stale 


State to which deactivated flag is to be set. 


Outgoing Operands and Sizes 


PARAM 


HMAC 


Type 


Name 


Description 


# 


SZ 




SZ 


1 


2 






TCPA.TAG 


tag 


TPM_TAG_RSP_ COMMAND 


2 


4 






UINT32 


paramSize 


Total number of output bytes including paramSize and lag 


3 


4 






TCPA_RESULT 


returnCode 


The return code of Ihe operation. See section 4.3. 



Action 

The TPM while executing this command MUST obtain assurance from a physical method that operation 
of this command is authorized. 

The TPM SHALL set the TCPA_PERSISTENT_FLAGS. deactivated flag to the value in the state 
parameter. 
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8.15.2 TPWLSetTempDeactivated 
Type 

TCPA protected capability. 
Incoming Operands and Sizes 



PARAM 


HMAC 


Type 


Name 


Description 


# 


SZ 




SZ 


1 


2 






TCPA.TAG 


tag 


TPM_TAG_RQLlCOMMAND 


2 


4 






UINT32 


paramSize 


Total number of input bytes including paramSize and tag 


3 


4 






TCPA_COMMAND_CODE 


ordinal 


Command ordinal: TPM_ORD_SetTempDeactivated 


Outgoing Operands and Sizes 


PARAM 


HMAC 


Type 


Name 


Description 


# 


SZ 


# 


SZ 


1 


-2 






TCPAJFAG 


tag 


TPM_TAG_RSP_ COMMAND 


2 


4 






UINT32 


paramSize 


Total number of output bytes including paramSize and tag 


3 


4 






TCPA_RESUL7 


returnCode 


The return code of the operation. See section 4.3. 



Action 

The TPM SHALL set the TCPA_VOLATILE_FLAGS.deactivated flag to the value TRUE. 
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8.16 TPM_FieldUpgrade 




IDL Definition 

TCPA_RESULT TPM_FieldUpgrade ( 

[in, out] TCPA_AUTH* ownerAuth, 
-) ; 

Type 

TCPA protected capability; the TPM Owner must authenticate the command. This is an optional 
command and a TPM is not required to implement this command in any form. 



Parameters 



Type 


Name 


Description 


TCPA_AUTH 


ownerAuth 


Authentication from TPM owner to execute command 






Remaining parameters are manufacturer specific 



Actions 

The TPM SHALL perform the following when executing the command: 

1 . Validate the TPM Owners authorization to execute the command 

2. Validate that the upgrade information was sent by the TPME. The validation mechanism MUST use a 
strength of function that is at least the same strength of function as a digital signature performed 
using a 2048 bit RSA key. 

3. Validate that the upgrade target is the appropriate TPM model and version. 

4. Process the upgrade information and update the protected capabilities 

5. Set the TCPA_PERSISTENT_DATA.revMajor and TCPA_PERSISTENT_DATA.revMinor to the 
values indicated in the upgrade. The selection of the value is a manufacturer option. The values 
MUST be monotonically increasing. Installing an upgrade with a major and minor revision that is less 
than currently installed in the TPM is a valid operation. 

6. Set the TCPA. VOLATILE. FLAGS.deactivated to TRUE. 
Descriptions 

The upgrade mechanisms in the TPM MUST not require the TPM to hold a global secret. The definition of 
global secret is a secret value shared by more than one TPM. 

The TPME is not allowed to pre-store or use unique identifiers in the TPM for the purpose of field 
upgrade. The TPM MUST NOT use the endorsement key for identification or encryption in the upgrade 
process. The upgrade process MAY use a TPM Identity to deliver upgrade information to specific TPM r s. 
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The-upgrade process can only change protected capabilities. 

The upgrade process can only access data in shielded locations where this data is necessary to validate 
the TPM Owner, validate the TPME and manipulate the blob 

The TPM MUST be conformant to the TCPA specification, protection profiles and security targets after the 
upgrade: The upgrade MAY NOT decrease the security values from the original security target. 

The security target used to evaluate this TPM MUST include this command in the TOE. 
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8.17 TPWLSetRedirection 




Type 

TCPA protected capability; the TPM MAY implement this command. The user MUST supply authorization 
to use the key pointed to by keyHandle. 



PARAM 


HMAC 


Type 


Name 


Description 


# 


SZ 


a 


SZ 


1 


2 






TCPAJAG 


lag 


TPM_7AG_RGU_AUTH1__ COMMAND " 


2 


4 






UINT32 


paramSize 


Total number of input byles including paramSize and lag 


3 


4 


1s 


4 


TCPA.COMMAND_CODE 


ordinal 


Command ordinal, fixed value ot 
T PM_ORD_SelRedirection 


4 


4 






TCPA_KEY. HANDLE 


keyHandle 


The keyHandle identifier of a loaded key that can 
implement redirection. 


5 


4 


2s 


4 


UINT32 


C1 


Manufacturer parameter 


6 


4 


3s 


4 


UINT32 


C2 


Manufacturer parameter 


7 


4 






TCPA_AUTHHANDLE 


authHandle 


The authorization handle used for keyHandle 
authorization 






2 m 


20 


TCPA_NONCE 


authLaslNonceEven 


Even nonce previously generated by TPM to cover inputs 


8 


20 


3hi 


20 


TCPA. NONCE 


nonceOdd 


Nonce generated by system associated with authHandle 


9 


1 


4 m 


1 


BOOL 


continueAuthSession 


The continue use flag for the authorization handle 


,0 


20 






TCPA.AUTHDATA 


privAuth 


The authorization digest that authorizes the use of 
keyHandle. HMAC key: key.usageAuth 


Out 


going 


Operan 


ds and 


Sizes 


PARAM 


HMAC 




Name 


Description 


# 


SZ 


# 


SZ 


1 


2 






TCPA.TAG 


tag 


TPM_TAG_RSP_AUTH1_COMMAND 


2 


4 






UIN73/ 


paramSi2e 


Total number of output bytes including paramSize and tag 


3 


4 


1s 


4 


TCPA. RESULT 


returnCode 


The return code of the operation. See section 4.3. 






2s 


4 


TCPA. COMMAND. CODE 


ordinal 


Command ordinal: TPM.ORD. SelRedirection 
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4 


20 


2 HI 


20 


TCPA.NONCE 


nonceEven 


Even nonce newly generated by TPM lo cover outputs ; 






3hi 


20 


TCPA_NONCE 


nonceOdd 


Nonce generated by system associated with authHandle 


5 


1 


4 hi 


1 


BOOL 


continueAuthSession 


Continue use flag, TRUE if handle is still active 


6 


20 






TCPA.AUTHDATA 


resAuth 


The authorization digest tor the returned parameters. 
HMAC key: key.usageAuth 



Action 

1. The TPM SHALL validate the authorization to use the key pointed to by keyHandle. 

2. The TPM SHALL verify that the key pointed to by keyHandle has the redirection flag set to TRUE If 
FALSE the TPM SHALL return TCPA_FAIL. 

3. The TPM SHALL set the key handle redirection parameters according lo the values in parameters c1 
and c2. 

4. A key that is tagged as a "redirect" key MUST be a leaf key in the TCPA Protected Storage blob 
hierarchy. A key that is tagged as a "redirect" key CAN NEVER be a parent key. 

5. Ouput data that is the result of a cryptographic operation using the private portion of a "redirect" key: 

a. MUST be passed to an alternate output channel 

b. MUST NOT be passed to the normal output channel 

c. MUST NOT be interpreted by the TPM. 

6. The authorization response returns to the caller. 
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8.18 Key and Session Management 
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8.18.1 TPM_SaveKeyContext 




Type 



TCPA optional function; TCPA protected capability. 
Incoming Operands and Sizes 



PARAM 


HMAC 


Type 


Name 


Description 


# 


SZ 


it 


SZ 




1 


2 






1 CP A _7 AG 


lag 


TPM JTAG_RQU_ COMMAND 


2 


4 






UINT32 


paramSize 


Total number of input bytes including paramSize and tag 


3 


4 






TCPA_ COMMAND, CODE ' 


ordinal 


Command ordinal, fixed value of TPM_ORD_SaveKeyConlext 


4 


4 






TCPA_ KEY_HANDLE 


keyHandle 


The key which will be kepi outside the TPM 


Outgoing ( 


Operands and Sizes 


PARAM 


HMAC 


Type 


Name 


Description 


# 


SZ 


# 


SZ 


1 


2 






TCPA.TAG 


lag 


.TPM_TAG_RSP_COMMAND 


2 


4 






UINT32 


paramSize 


Total number of output bytes including paramSize and tag 


3 


4 






TCPA_ RESULT 


returnCode 


The return code of the operation. See seclion 4.3. 


4 


4 






UINT32 


keyContexlSize 


The actual size of the outgoing key context blob. If the 
command fails the value will be 0 


5 


<> 






BYTED 


keyContexlBIob 


The key context blob. 



Description 

This command allows saving a loaded key outside the TPM. After creation of the KeyContexlBIob the 
TPM automatically releases the internal memory used by that key. The format of the key context blob is 
specific to a TPM. 

A TCPA protected capability belonging to the TPM that created a key context blob MUST be the only 
entity that can interpret the contents of that blob. If a cryptographic technique is used for this purpose the 
level of security provided by that technique SHALL be at least as secure as a 2048 bit RSA algorithm 
Any secrets (such as keys) used in such a cryptographic technique MUST be generated using the TPM s 
random number generator. Any symmetric key MUST be used within the power-on session durinq which it 
was created, only. 

A key context blob SHALL enable verification of the integrity of the contents of the blob by a TCPA 
protected capability. 

A key context blob SHALL enable verification of the session validity of the contents of the blob by a TCPA 
protected capability. The method SHALL ensure that all key context blobs are rendered invalid if power to 
the TPM is interrupted. 
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8.18.2TPM_LoadKeyContext 



Type 

TCPA optional function; TCPA protected capability. 
Incoming Operands and Sizes 



PARAM 


HMAC 


Type 


Name 


Description 


# 


SZ 




SZ 


1 j 


2 






TCPA.TAG 


lag 


T PM_T AG_ RQU.COMMAND 


2 


4 






UINT32 


paramSize 


Total number of input bytes including paramSize and tag 


3 


4 






TCPA_COMMAND_CODE 


ordinal 


Command ordinal, fixed value of TPM_ORD_LoadKeyContext 


4 


4 






UINT32 .- 


keyContextSize 


The size of the following key context blob. 


5 


<> 






BYTEQ 


keyContexlBlob 


The key context blob. 


Outgoing Operands and Sizes 


PARAM 


HMAC 


Type 


Name 


Description 


# 


SZ 


# 


SZ 


1 


2 






TCPA_TAG 


lag 


TPM_TAG_RSP_COMMAND 


2 


4 






UINT32 


paramSize 


Total number of output bytes including paramSize and tag 


3 


4 






TCPA_RESULT 


returnCode 


The return code of the operation. See section 4 .3. 


4 


4 






TCPA_ KEY_ HANDLE 


keyHandle 


The handle assigned to the key after it has been 
successfully loaded. 



Description 

This command allows loading a key context blob into the TPM previously retrieved by a 
TPM_SaveKeyContext call. After successful completion the handle returned by this command can be 
used to access the key. 

The contents of a key context blob SHALL be discarded unless the contents have passed an integrity 
test. This test SHALL (statistically) prove that the contents of the blob are the same as when the blob was 
created. 

The contents of a key context blob SHALL be discarded unless the contents have passed a session 
validity test. This test SHALL (statistically) prove that the blob was created by this TPM during this power- 
on session. 
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8.19.1 TPM_SaveAuthContext 




Type 

TCPA optional function; TCPA protected capability. 
Incoming Operands and Sizes 



PARAM 


HMAC 


Type 


Name 


Description 


# 


SZ 


# 


SZ 


1 ! 


2 






TCPA.TAG 


tag 


TPM_T AG_ RQU_COMMAND 


2 


4 






UINT32 


paramSize 


Total number of input bytes including paramSize and tag 


3 


4 






TCPA_COMMAND_CODE 


ordinal ■ - 


Command ordinal, fixed value ol TPM_ORD_SaveAuthContext 


4 


4 






TCPA_AUTHHANDLE 


authandle 


Authorization session which will be kept outside the TPM 


Outg 


oing Operands and Sizes 


PARAM 


HMAC 


Type 


Name 


Description 


it 


SZ 


# 


SZ 


1 


2 






TCPA. TAG 


lag 


TPM_TAG_RSP_COMMAND 


2 


4 






UINT32 


paramSi2e 


Total number of output bytes including paramSize and tag 


3 


4 






TCPA.RESULT 


returnCode 


The return code of the operation. See section 4.3. 


4 


4 






UINT32 


authContextSize 


The actual size of the outgoing authorization context btob. If the 
command fails the value will be 0. 


5 


<> 






BYTEQ 


authContextBlob 


The authorization context blob. 



Description 

This command allows saving a loaded authorization session outside the TPM. After creation of the 
authContextBlob, the TPM automatically releases the internal memory used by that session. The format 
of the authorization context blob is specific to a TPM. 

A TCPA protected capability belonging to the TPM that created an authorization context blob MUST be 
the only entity that can interpret the contents of that blob. If a cryptographic technique is used for this 
purpose, the level of security provided by that technique SHALL be at least as secure as a 2048 bit RSA 
algorithm. Any secrets (such as keys) used in such a cryptographic technique MUST be generated using 
the TPM's random number generator. Any symmetric key MUST be used within the power-on session 
during which it was created, only. 

An authorization context blob SHALL enable verification of the integrity of the contents of the blob by a 
TCPA protected capability. 

An authorization context blob SHALL enable verification of the session validity of the contents of the blob 
by a TCPA protected capability. The method SHALL ensure that all authorization context blobs are 
rendered invalid if power to the TPM is interrupted. 
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8.19.2 TPNLLoadAuthContext 




Type 

TCPA optional function; TCPA protected capability. 



Incoming Operands and Sizes 



PARAM 


HMAC 


Type 


Name 


Description 


# 


sz 




SZ 






1 


2 






TCPA_TAG 


tag 


TPM^TAG_RQU_COMMAND 


2 


4 






UINT32 


paramSize 


Total number of input bytes including paramSize and tag 


3 


4 






TCPA_COMMAND_CODE 


ordinal 


Command ordinal, fixed value of TPM_ORD_LoadAuthContext 


4 


4 






UINT32 


authConlextSize 


The size of the following authorization context blob. 


5 


<> 






BYTEQ 


authContexIBlob 


The authorization context blob. 


Outgoing Operands and Si2es 


PARAM 


HMAC 


Type 


Name 


Description 


# 


SZ 




SZ 


. 1 


2 






TCPA_TAG 


tag 


TPM_TAG_RSP_COMMAND 


2 


4 






UINT32 


paramSize ; 


Total number of output bytes including paramSize and tag 


r 3 


4 






TCPA.RESULT 


relurnCode 


The return code of the operation. See section 4.3. 


""•4 


4 






TCPA_KEY_ HANDLE 


authHandle 


The handle assigned to the authorization session after it has 
been successfully loaded. 



Description 

This command allows loading an authorization context blob into the TPM previously retrieved by a 
TPM_SaveAuthContext call. After successful completion the handle returned by this command can be 
used to access the authorization session. 

The contents of an authorization context blob SHALL be discarded unless the contents have passed an 
integrity test. This test SHALL (statistically) prove that the contents of the blob are the same as when the 
blob was created. 

The contents of an authorization context blob SHALL be discarded unless the contents have passed a 
session validity test. This test SHALL (statistically) prove that the blob was created by this TPM during 
this power-on session. 
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9. Subsystem Credentials 
9.1 Introduction 



All credentials MUST use the TCPA_ VERSION structure. 

9.2 Endorsement 




The PRIVEK and PUBEK MUST be accessed only by protected capabilities whose definition explicitly 
requires access to those keys. 

The PRIVEK and PUBEK MAY be created by a process other than the use of 
TPM_Crea1eEndorsementKeyPair. If so, the process MUST result in a TPM and endorsement key whose 
properties are the same as those of a genuine TPM and an endorsement key created by execution of 
TPM_Crea!eEndorsementKeyPair in that TPM. 

• The process MUST result in the same TPM state as that created by execution of 
TPM_CreateEndorsementKeyPair. 

• The process MUST guarantee correct generation, cryptographic strength, uniqueness, privacy, 
and installation into a genuine TPM, of the endorsement key. 

• The TPME, when creating the Endorsement Certificate. MUST be satisfied that the described 
endorsement key does exist in a genuine TPM and was installed by a process that met or 
exceeded the assurances provided by a genuine TPM performing 
TPM_CreateEndorsementKeyPair. 

The process MUST be defined in the TOE of the security target in use to evaluate the TPM 
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9.2.1 TPM_CreateEndorsementKeyPair 
Type 

TCPA protected capability 
Incoming Operands and Sizes 



PARAM 


HMAC 


Type 


Name 


Description 


# 


SZ 


if 


SZ 


1 


2 






TCPA.TAG 


tag 


TPM_TAG_RQU_COMMAND 


2 


4 






UINT32 


paramSize 


Total number of input bytes including paramSize and tag 


3 


4 






TCPA_COMMAND_CODE 


ordinal 


Command ordinal: TPM_ORD_CreateEndorsementKeyPair 


4 


20' 






TCPA.NONCE 


antiReplay 


Arbitrary data 


5 


<> 






TCPA_KEY_PARMS 


keylnfo 


Intormation about key to be created, this includes all 
algorithm parameters 


Outgoing Operands and Sizes 


PA/MM 


HMAC 


Type 


Name 
\ 


Description 


# 


SZ 


# 


SZ 


1 


2 






TCPA_TAG 


lag 


TPM_TAG„RSP_COMMAND 


2 


4 






UINT32 


paramSize 


Total number of output bytes including paramSize and tag 


3 


4 






TCPA.RESULl 


returnCode 


The return code of the operation. See section 4.3. 




<> 






TCPA^PUBKEY 


pubEndorsemenlKey 


The public endorsement key 


5 


20 






TCPA_DIGEST 


checksum 


Hash ol pubEndorsementKey and antiReplay 



Description 



Type 


Name 


Description 


TCPA_STORE_A 
SYMKEY 


PRIVEK 


This SHALL be the private key of the endorsement key pair. 


TCPA.PUBKEY 


PUBEK 


This SHALL be the public key of the endorsement key pair. 



The PRIVEK SHALL exist only in a TCPA-shielded location. 

If the data structure TPM_ENDORSEMENT_CREDENTIAL is stored on a platform after an Owner has 
taken ownership of that platform, it SHALL exist only in storage to which access is controlled and is 
available to authorized entities. 

Actions 

The first valid TPM_CreateEndorsementKeyPair command received by a TPM SHALL 

1. Validate the keylnfo parameters for the key description 

a. If the algorithm type is RSA the key length MUST be a minimum of 2048. For 
interoperability the key length SHOULD be 2048 
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b. If the algorithm type is other than RSA the strength provided by the key MUST be 
comparable to RSA 2048 

c. The other parameters of keylnfo (signatureScheme etc.) are ignored. 

2. Create a key pair called the "endorsement key pair" using a TCPA-protected capability. The type and 
size of key are. that indicated by keylnfo 

3. Create checksum by performing SHA1 on the concatenation of (PUBEK || antiReplay) 

4. Store the PRIVEK. 

5. Export the data structures PUBEK and checksum 

6. Set TCPA_PERSISTENT_FLAGS -> CEKPUsed to TRUE 

Subsequent calls to TPM_CreateEndorsementKeyPair SHALL return code TCPA_FAIL. 
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9.2.2 TPM.ReadPubek 
Type 

TCPA protected capability 



Incoming Operands and Sizes 



PARAM 


HMAC 


Type 


Name 


Description 


P 


SZ 


# 


SZ 




1 


2 






TCPA_TAG 


tag 


TPM_TAG_RQU_COMMAND 


2 


4 






U1NT32 


paramSize 


Tola! number of input byles including paramSize and tag 


3 


4 






TCPA_COMMAND_CODE 


ordinal 


Command ordinal: TPM_ORD_ReadPubei< 


4 


20 






TCPA_NONCE 


antiReplay 


Arbitrary data 


Outgoing Operands and Sizes 


PARAM 


HMAC 


Type 


Name 


Description 


if 


SZ 




SZ 


1 


2 






TCPA.TAG. 


tag 


TPM_TAG_RSP_ COMMAND 


2 


4 






UINT32 


paramSize ^ 


Total number of output bytes including paramSize and tag 


3 


4 






TCPA_RESULT 


returnCode 


The return code of (he operation. See section 4.5. 


4 


<> 






TCPA_PUBKEY 


pubEndorsemenlKey 


The public endorsement key 


5 


20 






TCPA_DIGEST 


checksum 


Hash of pubEndorsementKey and antiReplay 



Description 

This command returns the PUBEK. 
Actions 

The TPM_ ReadPubek command SHALL 

1. If TCPA_PERSISTENT_ FLAGS -> readPubek is FALSE return TCPA_DISABLED_CMD. 

2. If no EK is present the TPM MUST return TCPA_NO_ ENDORSEMENT 

3. Create checksum by performing SHA1 on the concatenation of (PUBEK || antiReplay). 

4. Export the PUBEK and checksum. 
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9.2.3 TPM_DisablePubekRead 




Type 

TCPA protected capability; the user must present authorization from the TPM Owner. 



Incoming Operands and Sizes 



PARAM 


HMAC 


Type 


Name 


Description 


# 


SZ 




SZ 


1 


2 






TCPAJTAG 


tag 


TPM_T AG„ RQU_AUTH1. COMMAND 


2 


4 






UINT32 


paramSize 


Total number of input bytes including paramSize and tag 


3 


4 


1s 


4 


TCPA_COMMAND_CODE 


ordinal 


Command ordinal: TPM_ORD_DisablePubekRead 


4 


4 






TCPA_AUTHHANDLE 


authHandle 


The authorization handle used for owner authorization. 






2 m 


20 


TCPA^NONCE • 


authLastNonceEven 


Even nonce previously generated by TPM to cover 
inputs 


5 


20 


3 HI 


20 


TCPA.NONCE 


nonceOdd 


Nonce generated by system associated with authHandle 


6 


1 


4 HI 


1 


BOOL 


conlinueAuihSession 


The conlinue use flag tor the authorization handle 


7 


20 






TCPA.AUTHDATA 


ownerAuth 


The authorization digest for inputs and owner 
authorization. HMAC key: ownerAuth. 


Outc 


oing Operands and Sizes 


PARAM 


HMAC 


Type 


Name 


Description 


# 


SZ 


# 


SZ 


1 


2 






TCPA.TAG 


lag 


TPM_TAG_ RSP_AUTH1_COMMAND 


2 


4 






U1NT32 


paramSize 


Total number ot output bytes including paramSize and tag 


3 


4 


1s 


4 


TCPA_RESULT 


relurnCode 


The return code ol the operation. See section 4.3. 






2s 


4 


TCPA_COMMAND_CODE 


ordinal 


Command ordinal: TPM_ORD_DisablePubekRead 


4 


20 


2 HI 


20 


TCPA.NONCE 


nonceEven 


Even nonce newly generated by TPM to cover outputs 






3hi 


20 


TCPA.NONCE 


nonceOdd 


Nonce generated by system associated with authHandle 


5 


1 


4 H1 


1 


BOOL 


conlinueAuihSession 


Conlinue use Hag, TRUE if handle is still active 


6 


20 






TCPA_AUTHDATA 


resAulh 


The authorization digest for Ihe returned parameters 
HMAC key: ownerAuth. 



Actions 

This capability sets the TCPA_ PERSISTENT FLAGS -> readPubek flag to FALSE. 
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9.2.4 TPM_OwnerReadPubek 
Type 

TCPA protected capability; caller must supply authorization from the TPM Owner 
Incoming Operands and Sizes 



PARAM 


HMAC 


Type 




Name 


Description 


# 


SZ 


# 


SZ 






T 


2 






TCPA.TAG 


tag 


TPM_TAG_RQU_AUTH1_COMMAND 


2 


4 






UINT32 


paramSize 


Total number of input bytes including paramSize and tag 


3 


4 


1s 


4 


TCPA.COMMAND.CODE 


ordinal 


Command ordinal: TPM_ORD_OwnerReadPubek 


4 


4 






TCPA.AUTHHANDLE . 


authHandle 


The authorization handle used for owner authorization. 






2 m 


20 


TCPA.NONCE 


authLastNonceEven 


Even nonce previously generated by TPM to cover 
inputs 


5 


20 


3 HI 


20 


TCPA_NONCE 


nonceOdd 


Nonce generated by system associated with authHandle 


6 


1 


4 HI 


1 


BOOL 


conlinueAuthSession 


The continue use flag for the authorization handle 


7 


20 






TCPA_AUTHDATA 


ownerAuth 


The authorization digest for inputs and owner 
authorization. HMAC key: ownerAuth. 


Outgoing ( 


jperands and Sizes * 1 


PARAM 


HMAC 


Type 




Description 


if 


SZ 


# 


SZ 






1 


2 






TCPA_TAG 


tag 


TPM_TAG_RSP_AUTH1_COMMAND 


2 


4 






UINT32 


paramSize 


Total number of output byles including paramSize and tag 


3 


4 


1s 


4 


TCPA_ RESULT 


returnCode 


The return code of the operation. See section 4 .3. 






2s 


4 


TCPA_COMMAND_CODE 


ordinal 


Command ordinal: TPM_0RD_OwnerReadPubek 


4 


<> 


3s 


<> 


TCPA_PUBKEY 


pubEndorsementKey 


The public endorsement key 


5 


20 


2 HI 


20 


TCPA.NONCE 


nonceEven 


Even nonce newly generated by TPM to cover outputs 






3 HI 


20 


TCPA^ NONCE 


nonceOdd 


Nonce generated by system associated with authHandle 


6 


1 


4 HI 


1 


BOOL 


conlinueAuthSession 


Continue use flag, TRUE if handle is still active 


7 

hoc 


20 

r* ri i-i ♦ 






TCPA_AUTHDATA 


resAuth 


The authorization digest for the returned parameters. 
HMAC key: ownerAuth. 



This command returns the PUBEK. 
Actions 

The TPM_ReadPubek command SHALL 

1. Validate the TPM Owner authorization to execute this command 

2. Export the PUBEK 
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9.3 Generating a Trusted Platform Module Identity 
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Obtaining a TPM identity 



make_TPM identity(P_CA_identity, 
id-label, identiry_authorisation, algjd, alg_param) 
identity binding 

coHate_identity_request(..;:) 

E(P_CA Jdentity, session- key^l) 
E( session, key_l, TPM-fdcnrity- key. 
id-label, alg-id, alg-param. identity, bin ding, 
endorsement-cred, plafform-cred. 
conformance-cred) 



c 



c 



" Privacy TpM 
CA 



contact_privacy_CA 
„j activate_TPM_identity ( 

1 E (endorsement key, dig est (id-key), session_key_2)) 

session_key_2 

recover_TPM_identjty(session_key_2 t 
E(session_key_2, TPM_identity_credentia!s)) 

► TPM_identity_credentials 



ss 



Owner 
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9.3.1 TPM_Makeldentity 
Type 

TCPA protected capability; user must provide authorizations from the TPM Owner and the SRK. 
Incoming Operands and Sizes 



PARAM 


HMAC 


Type 


Name 


Description 


# 


SZ 


# 


SZ 




1 


2 






TCPA_TAG 


tag 


TPM_TAG_RQU.AUTH2_COMMAND 


0 

c 


4 

T 






UINT32 


paramSize 


Total number of input bytes incl. paramSize and tag 


3 


4 


1s 


4 




ordinal 


Command ordinal: TPM^ORD.Makeldentity. 


4 


20 


2s 


20 


TCPA.ENCAUTH 


identityAuth 


Encrypted usage authorization data for the new identity 


5 


20 


3s 


20 


TCPA^CHOSENID^HASH 


labelPrivCADigest 


The digest of the identity label and privacy CA chosen 
for the new TPM identity, (See 10.4.6 for details) 


6 


<> 


4s 


<> 


TCPA_KEY 


idKeyParams 


Structure containing all parameters of new identity key. 
pubKey.keyLength & idKeyParams.encData are both 0 


7 


4 






TCPA.AUTHHANDLE 


srkAulhHandle 


The authorization handle used for SRK authorization. 






2 HI 


20 


TCPA_ NONCE 


srkLaslNonceEven 


Even nonce previously generated by TPM 


8 


20 


3 m 


20 


TCPA_NONCE 


srknonceOdd 


Nonce generated by system associated with 
srkAulhHandle 


9 


1 


4 H1 


1 


BOOL 


conlinueSrkSession 


Ignored 


10 


20 






TCPA.AUTHDATA 


srkAuth 


The authorization digest for the inputs and the SRK. 
HMAC key: srk.usageAuth. 


11 


4 






TCPA.AUTHHANDLE 


authHandle 


The authorization handle used for owner authorization. 
Session type MUST be OSAP. 






2H2 


20 


TCPA. NONCE 


aulhLastNonceEven 


Even nonce previously generated by TPM to cover 
inputs 


12 


20 


3H2 


20 


TCPA.NONCE 


nonceOdd 


Nonce generated by system associated with 
authHandle 


13 


1 


4h2 


1 


BOOL 


conlmueAulhSession 


Ignored 


14 


20 




20 


TCPA.AUTHDATA 


ownerAuth 


The authorization digest for inputs and owner. HMAC 
key: ownerAuth. 


Outgoing Operands and Sizes 


PARAM 


HMAC 


Type 


Name 


Description 


# 


SZ 


# 


SZ 


1 


2 






TCPA.TAG 


lap 


TPM_TAG_RSP_AUTH2_ COMMAND 


2 


4 






UINT32 


paramSize 


Total number ol output bytes including paramSize and tag 


3 


4 


is 


4 


TCPA^ RESULT 


leiurnCode 


The return code ot the operation. See section 4.3. 






2s 


■ 4 


TCPA_COMMAND_CODE 


ofdina- 


Command ordinat:TPM_ORD_Makeldentity. 


4 


<> 


3s 


<> 


TCPA_KEY 


idKey 


The newly created identity key 
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5 


4 


4s 




U1NT32 


identityBindingSize 


The used size ot the outpul area tor identilyBinding 


6 


<> 


5s 


<\> 


BYTE{] 


identilyBinding 


Signature of TC PA_ 1 DE NT IT Y_ CONTENTS using 
idKey.private. 


7 


2U 






7 CPA NONCE 


srkNonceEven 


Even nonce newly generated by TPM. 






3H2 


20 


TCPA_ NONCE 


srknonceOdd 


Nonce generated by system associated with 
srkAuthHandle 


8 


1 


4 H2 


1 


BOOL 


continueSrkSession 


Fixed value FALSE 


9 


20 






TCPA_AUTHDATA 


srkAuth 


The authorization digest used for the outputs and srkAuth 
session. HMAC key: srk.usageAuth. 


10 


20 


2 m 


20 


TCPA.NONCE 


nonceEven 


Even nonce newty generated by TPM to cover outputs 






3hi 


20 


TCPA_ NONCE 


nonceOdd 


Nonce generated by system associated with authHandle 


11 


1 


4hi 


1 


BOOL 


continue Auth Session 


Fixed value FALSE 


12 


20 




20 


TCPA_AUTHDATA 


resAuth 


The authorization digest tor the returned parameters. 
HMAC key:ownerAuth. 



Description 

The command TPM_Makeldentity is used to generate an identity in a TPM and to^request attestation to 
that identity. 

The public key of the new TPM identity SHALL be identityPubKey. The private key of the new TPM 
identity SHALL be tpm_signature_key. 

This command requires XOR encryption of the authorization to use the new identity. Tc . create an , XOR 
Itdng the caller takes the OSAP session shared secret, concatenates it with authLastNonceEven. and 
men hashes the result. This hash encrypts the authorization value and produces .dentrtyAuth. 



Type 


Name 


Description 


TCPA_PUBKEY 


identityPubKey 


This SHALL be the public key of a previously unused 
asymmetric key pair. 


TCPA STORE. ASY 
MKEY 


tpm_signature_key 


This SHALL bathe private key that forms a pair with 
identityPubKey and SHALL be extant only in a TCPA- 
shielded location. 



This capability also generates a TCPA.KEY containing the tpm_signature_key. 

If identityPubKey is slored on a platform after an Owner has taken ownership of that platform, it SHALL 
exist only in storage to which access is controlled and is available to authorized ent.t.es. 

Actions 

A Trusted Platform Module that receives a valid TPM_Makeldentity command SHALL do the following: 
1 Validate the idKeyParams parameters for the key description 

a If the algorithm type is RSA the key length MUST be a minimum of 2048. For 

interoperability the key length SHOULD be 2048 
b. If the algorithm type is other than RSA the strength provided by the key MUST be 
comparable to RSA 2048 
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2. Use authHandle to verify that the Owner authorized a!) TPM_Makeldentity input parameters. 

3. Use srkAuthHandle to verify that the SRK owner authorized all TPM_Makeldentity input parameters. 

4. Verify that idKeyParams -> keyUsage is TPM_KEY_ IDENTITY. If it is not, return 
TCPA_ BAD, PARAMETER" 

5. Verify that idKeyParams -> keyFIags -> migratable is FALSE. If it is not, return 
TCPA_BAD_ PARAMETER" 

6. Obtain the identity^authorization to be associated with the new TPM identity, by decrypting the field 
IdentityAuth. The establishment of the TPM_OSAP session MUST use the authentication of the TPM 
Owner. 

7. Set continueAuthSession to FALSE. 

8. Create an asymmetric key pair (identityPubKey and tpm_signature_key) using a TCPA-protected 
capability, in accordance with the algorithm specified in idKeyParams 

9. Create TCPA_KEY structure idKey using idKeyParams as the default values for the structure. 

10. Ensure that the authorization information in IdentityAuth is properly stored in the idKey as usageAuth. 

11. Attach identityPubKey and tpm_signature_key to idKey 

12. Set idKey -> migrationAuth to TTCPA_PERSISTANT.DAT A -> tpmProof 

13. Ensure that all TCPA_PAYLOAD_TYPE structures identity this key as TCPA_PT_ASYM 

14. Encrypt the private portion of idKey using the SRK as the parent key 

15. Create a TCPA_IDENTITY_ CONTENTS structure named idContents using labelPrivCADigest and 
the information from idKey 

16. Sign idContents using tpm_signature_key and TCPA_SS_RSASSAPKCS1 v15_SHA1. Store the 
.result in identityBinding. 
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9.3.2 TSS_Collate!dentityRequest 




Type 

TSS capability and MAY be TPM capability. 



Suggested Parameters 



Type 


Name 


Description 


TCPA_JDENTITY„ PROOF 


proof 


This SHALL be the structure specified in 
4.30.3 


TCPA_KEY_PARMS 


SymAlgorithm 


This SHALL specify the type of symmetric 
encryption algorithm to be used for a 
session key, and the scheme it will use to 
perform encryptions. 


TCPA_PUBKEY 


CaPubKey 


This SHALL be public key of the CA which 
will provide the credential tor the identity 


UINT32* 


ReqSi ze 


This SHALL be the size of the identityReq 
field 


TCPA_IDENTITY_REO* 


IdentityRequest 


This SHALL be the data structure defined in 
this section. 



Description 

The command TSS_CollateldentityRequest assembles all data necessary to request attestation of a 
Trusted Platform Module identity. 

The structure -proof (of type TPMJDENTITY_PROOF) contains fields that a privacy-CA requires in order 
to decide whether to attest to the TPM identity described by "proof. 

A Trusted Platform Subsystem that receives a valid TSS_CollateldentityRequest command SHALL export 
the data structure "TCPA_IDENTITY_REQ. W 

The TSS in executing this function performs two encryptions. The first is to symmetrically encrypt the 
information and the second is to encrypt the symmetric encryption key with an asymmetric algorithm. The 
symmetric key is a random nonce and the asymmetric key is the public key of the CA that will provide the 
identity credential. 
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For reasons of interoperability, CaPubKey SHOULD indicate TCPA_ ALG_ RSA (RSA) with a key length of 
2048 bits. SymAlgorithm SHOULD be TCPA_ALG_3DES (3DES in CBC mode). 

The use of TCPA_ALG_AES (AES in CBC mode) as the symmetric algorithm is encouraged. 

Actions 

Thet command SHALL perform the following actions: 

1. Validate that the TSS can support the symmetrip algorithm and the asymmetric algorithm necessary 
to perform the encryptions. If the TSS does not support these algorithms it MUST return 
TCPA_ BAD_ PARAMETER. 

2. Initialize the identityRequest area to be the TCPA_IDENTITY_REQ structure. 

3. Create a session key in accordance with the algorithm in SymAlgorithm, by calling TSS_GetRandom. 

4. Create an IV in accordance with the algorithm in SymAlgorithm, by calling TSS_GetRandonr 

5. Enceypt the TCPA_IDENTITY_PROOF structure using the session key created in step 3, the IV 
created in step 4, and the symmetric algorithm specified by SymAlgorithm. . 

6. Place the encrypted TCPAJDENTITY_ PROOF blob into the TCPA_ IDENTITY^ REQ.symBlob field. 
7: Create a TCPA_SYMMETRIC_KEY structure using the session key created in step 3. 

8. Encrypt the TCPA_ SYMMETRIC. KEY structure created in step 7 using the algorithm specified in the 
key caPubKey. 

9. Place the encrypted TCPA_SYMMETRIC_KEY blob into the TCPA_IDENTITY_REQ.asymBlob field. 

10. Create TCPA_ IDENTITY, REQ.SymAlgorithm using SymAlgorithm and inserting the IV created in 
step 4 into the previously empty "parms" field. 

11. Create TCPAJDENTITY_REQ.AsymAlgorithm from CaPubKey. 

12. Return the TCPA_IDENTITY_REQ structure. 
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9.3.3 Contacting a Privacy CA 



IliilB 



^^^^^ailo^jsjnG 
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9.3.4 TPWLActivateldentity 

IS 




Type 

TCPA protected capability; user must provide authorization from the TPM Owner to execute command. 
Incoming Operands and Sizes 



PARAM 


HMAC 


Type 


Name 


Description 


# 


SZ 




SZ 




1 


2 






TCPA_TAG 


tag 


TPM_TAG.RQU_AUTH2._COMMAND 


2 


4 






UINT32 


paramSize 


Tolal number of input byles incl. paramSize and lag 


3 


4 


1s 


4 


TCPA_C0MMAND_CODE 


ordinal 


Command ordinal: TPM_ORD_Activateldentily. 


4 


4 






TCPA. KEY^ HANDLE 


idKey 


Identity key to be activated 


5 


4 


2s 


4 


UINT32 


blobSize 


Size of encrypted blob from CA 


6 


<> 


3s 


<> 


BYTE |) 


blob 


The encrypted ASYM.CA. CONTENTS structure 


7 


4 






TCPA. AUTHHANDLE 


idKeyAuth Handle 


The authorization handle used tor ID key authorization. 






2 HI 


20 


TCPA. NONCE 


idKeyLaslNonceEven 


Even nonce previously generated by TPM 


8 


20 


3hi 


20 


TCPA. NONCE 


idKeynonceOdd 


Nonce generated by system associated with 
idKeyAuthHandle 


9 


1 


4 m 


1 


BOOL 


continueldKeySession 


Continue usage flag for idKeyAuthHandle. 


10 


20 






TCPA.AUTHDATA 


idKeyAulh 


The authorization digest for the inputs and ID key. 
HMAC key: idKey.usageAuth 


11 


4 






TCPA_AUTHHANDLE 


authHandle 


The authorization handle used for owner authorization. 






2H2 


20 


TCPA. NONCE 


authLaslNonceEven 


Even nonce previously generated by TPM to cover 
inputs 


12 


20 


3h2 


20 


TCPA. NONCE 


nonceOdd 


Nonce generated by system associated with 
authHandle 


13 


1 


4h2 


1 


BOOL 


continueAulhSession 


The continue use flag lor the authorization handle 


14 


20 




20 


TCPA.AUTHDATA 


ownerAulh 


The authorization digest for inputs and owner. HMAC 
key: ownerAuth. 



Outgoing Operands and Sizes 
PARAM | HMAC j JypT 



Name 



Description 
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# 


sz 




SZ 








1 


2 






TCPA_TAG 


tag 


T PM.J AG_RSP_AUT H2_ COMMAND 


2 


4 






UINT32 


paramSize 


Total number of output bytes including paramSize and 
tag 


3 


4 


is 


4 


TCPA.RESULT 


returnCode 


The return code of the operation. See section 4.3. 






2s 


4 


TCPA_COMMAND_CODE 


ordinal 


Command ordinal:TPM_ORD_Activateldentity. 


4 


<> 


3s 


<> 


TCPA_SYMMETRIC_KEY 


symmetricKey 


The decrypted symmetric key. 


5 


20 


2 m 


20 


TCPA_NONCE 


idKeyNonceEven 


Even nonce newly generated by TPM. 






3hi 


20 


I UrA_NUNUt 


i u r\cy i iui iocvuu 


Nonce generated by system associated with 
idKeyAuthHandle 


6 


1 


4hi 


1 


BOOL 


continueldKeySession 


Continue use flag, TRUE if handle is still active 


7 


20 






TCPA.AUTHDATA 


idKeyAuth 


The authorization digest used for the returned 
parameters and idKeyAuth session. HMAC key: 
idKey.usageAuth. 


8 


20 


2H2 


20 


TCPA_NONCE 


nonceEven 


Even nonce newly generated by TPM to cover outputs 






3H2 


20 


TCPA_ NONCE 


nonceOdd 


Nonce generated by system associated with authHandle 


9 


1 


4H2 


1 


BOOL 


continueAulhSession 


Continue use flag, TRUE if handle is still active 


10 


20 




20 


TCPA_AUTHDATA 


resAuth 


The authorization digest for the returned parameters. 
HMAC key: ownerAuth. 



Description 

The command TPM_Activateldentity activates a TPM identity created using the command 
TPM_Makeldentity. 

The command assumes the availability of the private key associated with the identity. The command will 
verify the association between the keys during the process. 

The command will decrypt the TCPA_ASYM_CA_CONTENTS structure, extract the session key and 
verify the connection between the public and private keys. 

Actions 

A Trusted Platform Module that receives a valid TPM_ Activateldentity command SHALL do the following: 

1. Using the authHandle field, validate the owner's authorization to execute the command and all of the 
incoming parameters. 

2. Using the idKeyAuthHandle, validate the authorization to execute command and all of the incoming 
parameters 

3. Decrypt blob using PRIVEK as the decryption key: The resulting decrypted area MUST be a 
TCPA_ AS YM_CA_ CONTENTS structure. 

4 Compute a digest of the public key in the idKey. Compare the computed digest to the value in the 
decrypted TCPA_ASYM_CA_ CONTENTS structure. Return with the error code 
TCPA_BAD_ PARAMETER on a mismatch. 

5. Validate that the idKey is the public key of a valid TPM identity by checking that idKey -> keyUsage is 
TPM.KEYJDENTITY 

6. Return the session key from the TCPA_ASYM_CA_ CONTENTS structure. 
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9.3.5 TSS_RecoverTPMIdentity 




The command TSS_Recoverldentity obtains a plaintext copy of the TPMJDENTITY_CREDENTIAL 
created by a Privacy CA. 

If the data structure TPM_IDENTITY_CREDENT1AL is stored on a platform after an Owner has taken 
ownership of that platform, it SHALL exist only in storage to which access is controlled and is only 
available to authorized entities. 



Suggested Parameters 



Type 


Name 


Description 


TCPA_SYMMETRIC_KEY 


SessionKey 


This SHALL be the symmetric key decrypted by the 
TPM_Activateldentity 


UINT32 


symAttSize 


This SHALL be the size of the symAtt parameter 


TCPA_SYIVLCA_ ATTEST 
AT ION* 


symAtt 


This SHALL be the 

TCPA_SYM_CA_ ATTESTATION structure 


UINT32* 


CredentialSize 


This SHALL be the size of the credential 


BYTE* 


Credential 


This SHALL be the decrypted 
TCPAJDENTITY_CREDENTIAL 



Actions 

A Trusted Platform Subsystem that receives a valid TSS_Recoverldentity command SHALL do the 
following: 

1. Using the session key and the symmetric algorithm indicated by algorithm and the algorithm 
parameters, decrypt credential parameter inside TCPA_SYM CA_ ATTEST AT ION to recover the 
TPMJDENTITY.CREDENTIAL. 

2. The TSS SHOULD verify the self-consistency of TPM_ IDENTITY_CREDENTIAL and abandon this 
TSS.Recoverldentity process if there is an inconsistency The process of verifying certificates is 
outside the scope of this specification. 

3. Export TPM_ IDENTITY^ CREDENTIAL. 
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9.4 Instantiation of Data When Contacting a Privacy CA 




9.4.1 From Owner to Privacy CA 

The protocol from the Owner to the Privacy CA SHALL consist of the following IdentityRequest message: 

TcpaldentityReq ::= SEQUENCE { 

version Version, 

asymAig TcpaAi gori thmParms , 

symAlg TcpaAIgor i thmParms , 
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asymBlob 
symBlob 



EncTcpaSymmetricKey , 
EncTcpa Identity Proof 



} 

Version : : = INTEGER 

the version number, for compatibility with future revisions of 
-- this specification. It shall be 0 for this version of the 
- - specif ication . 

TcpaAlgorithmParms ::= SEQUENCE { 

algid Algorithmldent if ier , 

parms OCTET STRING 

the parameters for the algorithm specified in algid 

} 

EncTcpaSymmetricKey :: = BIT STRING 

the ciphertext resulting from the encryption (under the public 
-- identity key of the Privacy CA) of the following DER-encoded data 
-- structure. 



Tcpa Symme t r i cKey 
algid 
encScheme 
data 

) 



SEQUENCE { 

_ Algori thmldentif ier , 

OCTET STRING, TCPA_ENCRYPTION_SCHEME 

BIT STRING randomly-generated session key 



EncTcpaldentityProof : : = BIT STRING 

-- the ciphertext resulting from the encryption (under the session 

-- key in TcpaSymmetricKey above) of the following DER-encoded data 
-- structure: 



TcpaldentityProof 
tcpaVersion 
tpmldKey 
tpmldLabel 
identityBindinc 
endorsement Cred 
platf ormCred 
conf ormanceCred 



SEQUENCE { 

TCPASpecVersion, -- M maj or . minor" 

SubjectPublicKeylnf o, new public key 

OCTET STRING, identity label 

BIT STRING, (see below) 

Certificate, X.509v3 PK cert 

Certificate, X.509 attr. cert 

Certificate X.509 attr. cert 



SubjectPublicKeylnf o 
-- (a SEQUENCE of an Algori thmldentif ier and a BIT STRING) is 

specified in X.509. The BIT STRING contains the subject's public 
-- key (for example, if the algorithm specified is rsaEncryption , the 

BIT STRING contains the BER encoding of a value of PKCS #1 type 

"RSAPublicKey" ) . 

-- identi tyBinding 

is the signature value (using the newly generated TPM private key 
-- that corresponds to the public key in tpmldKey) over the data 
-- specified in Section 4.30.1 TCPA_ I DENTITV_ CONTENTS . How that data is 
formatted or delimited is beyond the scope of the protocol 

specified here; however, the formatting chosen must be known to 
-- both the TPM and the Privacy CA . 
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9.4.2 From Privacy CA to Owner 

The protocol from the Privacy CA to the Owner consists of the PCAResponse message: 

PCAResponse :: = SEQUENCE { 

version Version, 

syroToAIg „ Algorithmldentif ier , 

encTcpaAsymCaContents EncTcpaAsymCaContents , 
tcpaSymCaAt testation TcpaSymCaAttestation 

} 

EncTcpaAsymCaContents ::= BIT STRING 

the ciphertext resulting from the encryption (under the PUBEK of 
-- the TPM) of the following DER-encoded data structure: 

TcpaAsymCaContents ::= SEQUENCE { 

idDigest BIT STRING, hash of tpmldKey 

sessionKey BIT STRING 

} 

NOTE: the validity of the entire protocol for obtaining a TPM 
identity depends critically upon the assumption that a genuine 

-- TPM will only ever decrypt data using its PR3VEK as part of the 
TPM_ActivateIdentity ( ) call. An Owner will never be able to ask a 
TPM for the decryption of arbitrary data that has been encrypted 
with its PUBEK. Furthermore, the difficulty of successfully 
impersonating a TPM is ultimately bound to the computational 

-- complexity of finding a collision for idDigest. It is therefore 
STRONGLY RECOMMENDED that the digest be computed using the full 
output of a cryptographic hash algorithm of sufficient strength 
(e.g., the full 160 bits of SHA-1). 



TcpaSymCaAttestation : := SEQUENCE { 

algorithm TcpaAlgori thmParms , 

encCredential BIT STRING 

-- the ciphertext resulting from the encryption (under the 
-- symmetric session key in TcpaAsymCaContents above) of the 

tpmldentityCredential (which is itself DER-encoded as an 

X.509 PK Certificate). 
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9.5 Instantiation of Credentials as Certificates 




Certificate syntax 



3 C .nn C ^u ifl ? a n e s Y" Xa *™ niom * wlth th * definitions for pubfic-key certificates and attribute certificates in 
X.509. The following TCPA certificate types are public-key certificates: 

• TPM endorsement certificate 

• TPM identity certificate 

The following TCPA certificate types are attribute certificates: 

• Platform endorsement certificate 

• Platform conformance certificate 

• Validation data certificate 

The form of the following certificates is out of scope for this version of the TPM specification: 
TPM endorsement entity certificate 

• TCPA component endorsement entity certificate 
Platform endorsement entity certificate 

• Platform conformance certificate 

The serial number used by the following certificates is not unique for each platform. It is anticipated that 
the serial number would remain the same on multiple platforms. 

For instance, all platforms of the same model and version would have the same serial number in their 
p atform endorsement credential. For these same platforms, the platform conformance certificates would 
all use the same serial number but that number would be different than the endorsement certificate serial 
number. 
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9.5.1 Instantiation of TPM_ ENDORSEMENT^ CREDENTIALS 



If the data structure <endorsement_certificate> is stored on a platform after an Owner has taken 
ownership of that platform, it SHALL exist only in storage to which access is controlled and is available to 
authorized entities. 

Overview 

The TPM endorsement certificate represents an assertion by the TPM endorsement entity that the 
referenced TPM conforms with the TCPA TPM specification. 

Profile 

Notes: 

• Some fields are assigned a value even though the certificate user performs no action based on 
that value. In such cases, the intention is to inhibit non-TCPA implementations from making 
inappropriate use of the certificate. 

It is intended that the lifetime of a TPM will be shorter than the crypto-period of the TPM 
endorsement public and private keys. Therefore, keys are not "rolled-over". 

• The trustworthiness of the architecture is vulnerable to the compromise of a single TPM 
endorsement private key. However, the architecture does not include a revocation mechanism. 
Nevertheless, certain lorms of revocation scheme can be retrofitted, should it become necessary 
at some time in the future. 

In the case of the TPM endorsement certificate, the issuer is the TPM endorsement entity and the user is 
a Privacy CA. 



Field 


Issuer action 


User action 


Version 


Assign value 2 (v3). 


Check value = 2, else reject. 


Serial number 


Assign a value unique amongst all 
certificates issued by "issuer". 


Use in validating the platform endorsement 
and conformance certificates- 


Signature 


Assign the algorithm identifier sha- 

IWithRSAEncryption 

(1:2:840:113549:1:1:5). 


Check the algorithm identifier = 
1:2:840:113549:1:1:5, else reject. Validate 
the signature on the certificate using the 
public key of the TPME (which shall be a 
2048-bit RSA key), obtained by an out-of- 
band means and referenced by "issuer" and 
"authority key identifier". 


Issuer 


The distinguished name of the 
TPM endorsement entity. That is 
the entity that asserts that the 
subject TPM conforms with the 
TCPA specification. (Note: this 
may be the TPM manufacturer or a 
conformance test laboratory.) 


Check that the name is the name of one of 
the acceptable TPM endorsement entities, 
use in validating the platform endorsement 
and conformance certificates. 
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Validity 


Assign not Before to the current 
time and notAfter to a later time 
(maybe the latest time permitted by 
the encoding scheme). 


Check that the current time is later than the 
notBefore time, else reject. 


Subject 


Assign the value NULL. 


No action. 


Subject public 
key info 


Assign algorithm identifier RSAES- 
OAEP (1:2:840:113549:1:1:7). 
Include a 2048-bit RSA public key 
for key encipherment with OAEP 
formatting. (Note: this is the TPM 
public endorsement key.) 


Use the oublic kev in the TPM iripniitv 
protocol. 


Issuer unique 
identifier 


Omit. 


No action. 


Subject unique 
identifier 


Omit. 


No action. 


Extensions 






Authority key 
identifier 


Assign "critical" the value FALSE. 
Assign the value of "subject key - - 
identifier" from the manufacturer's 
certificate, if available, else omit. 


Use to locate the certificate that contains a 
public key of the manufacturer with which the 
signature on this certificate can be verified. 


Subject key 
identifier 


Omit. 


No action. 


Key usage 


May be omitted. If included, then 
the key encipherment bit shall be 
set TRUE. 


If present, then check that the key 
encipherment bit is TRUE, else reject. ! 


Extended key 
usage 


Omit. 


If present and marked critical, then reject. 


Private key 
usage period 


Omit. 


If present, then check that the current time is 
later than the notBefore time. 


Certificate 
policies 


Assign "critical" the value TRUE. 
Assign policyldentifier at least one 
object identifier. Assign the cPSuri 
policy qualifier the value of an 
HTTP URL at which a plain 
language version of the TPM 
endorsement entity's certificate 
policy may be obtained. Assign 
the explicit text userNotice policy 
qualifier the value "TCPA Trusted 
Platform Module Endorsement". 


Chppk thai al Ipp^t nnp arrar\i^hla 

policyldentifier value is present. Transfer the 
acceptable policylnformation value to the 
TPM identity certificate "certificate policies" 
extension. 


Policy mappings 


Omit. 


No action. 


Subject 

alternative name 


Assign "critical" the value FALSE. 
Include the TPM identity, using the 
directory name-form with RDNs for 
the TPM manufacturer, model and 
version numbers. 


Check that the TPM manufacturer, model 
and version numbers are acceptable. 
Transfer to the TPM identify certificate 
"subject alternative name" extension value 
for the TPM. 


issuer alternative 
name 


Omit. 


No action. 
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Subject directory 


inciuoe a suDjeci oireciory 


AHarvt thp TPM iHpnlitv nmlnrnl to ij^p onlv 

r"\\ja\Ji U ic 1 i Jvi iuci liny [jiuiuoui iu uoc wi ny 


attributes 


attriDUies extension. Assign 

CrillCol ine VolUfcJ rnLOC. hioiuuc 

me rnuiii-vdiucu duuuuic 
supponeu aigoriinms \scc 
X509). Include object identifiers 
for the following algorithms: 
RSAES-OAEP, SHA-1 
(1.3.14.3.2.26) and TPM identity 
protocol. 


alnnrithmQ Qiinnnrlpri hv thp TPM 




Inrlurlp thp "TCPA Soecification 


Check that the TCPA specification version is 




Version" attribute, with field values 


acceptable, else reject. 




correctly reflecting the highest 






version of the TCPA specification 






with which the TPM 

Willi VVI llul 1 11 Iv II l»l 






implementation conforms. 






Optionally, include the "security 


Optionally (and if present), check whether 




qualities" attribute with a text string 


the TPM implementation has acceptable 




reTieciing me security qualities ot 


con irif\j mioltlioc Trancfpr fn ih^ TPM 

OCOUI liy LJUOilllCo. 1 lollOlCI IU UIG 1 i IVI 




the TPM. (Note: this is the TPM 


identity certificate "subject directory 




distributed validation.) 


attributes" extension. 


Basic constraints 


Assign "critical" Ihe value TRUE. 
Assign "CA" the value FALSE 


No action. 


Name constraints 


Omit. 


No action. 


Policy constraints 


Omit. 


No action. 


Inhibit any policy 


Omit. 


No action. 


CRL distribution 


Omit. 


If present and marked critical, then reject. 


points 
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9.5.2 Instantiation of PLATFORM^ CREDENTIAL 




If the data structure <platform_certificate> is stored on a platform after an Owner has taken ownership of 
that platform, it SHALL exist only in storage to which access is controlled and is available to authorized 
entities. 

Overview 

The Platform Endorsement Certificate represents an assertion by the platform endorsement entity that the 
referenced platform incorporates a TPM and an RTM in a manner that conforms with the TCPA 
specification. 

Profile 

Note: some fields are assigned a value even though the certificate user performs no action with that 
value. In such cases, the intention is to inhibit non-TCPA implementations from making inappropriate use 
of the certificate. 



In the case of the Platform endorsement certificate, the issuer is the platform manufacturer and the user 
is a Privacy CA. 



Field 


Issuer action 


User action 


Version 


Assign value 1 (v2). 


Check value = 1, else reject. 


Holder 


BaseCertificatelD relerencing the 
corresponding TPM endorsement 
certificate. (Note: this is the TPM 
credential reference.) 


Check that the certificate ID correctly 
references the TPM endorsement certificate 
used to validate the TPM identity request 
message, else reject. 


Issuer 


The distinguished name of the 
platform endorsement entity. That is 
the entity that asserts that the subject 
platform incorporates a TPM and 
RTM in a manner that conforms with 
the TCPA specification. (Note: this 
may be the platform manufacturer or 
a conformance test laboratory.) 


Check that the name is the name ol one of 
the acceptable platform endorsement 
entities. 


Signature 


Assign algorithm identifier sha- 

IWithRSAEncryption 

(1:2:840:113549:1:1:5). 


Check algorithm identifier = 
1:2:840:113549:1:1:5, else reject. Validate 
the signature on the certificate using the 
public key of the Platform Endorsement 
Entity (which should be a 2048-bit RSA key), 
obtained by an out-of-band means and 
referenced by "issuer" and "authority key 
identifier" 


Serial number 


Assign a value unique per instance of 
a TBB amongst all certificates issued 
by "issuer" 


No action. 


attrCertValidity 
Period 


Assign notBefore to the current time 
and notAfler to a laler time (maybe 

thn In<nr1 i'tmr rnrmitlnrl bu-i <hn 


Check that the current time is later than the 
notBefore time, else reject. 
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Attributes 



Issuer unique 
identifier 

Extensions 

Certificate 



the latest time permitted by the 
encoding scheme). 

A "supported algorithms" attribute 
(see X.509) indicating the 
cryptographic algorithms supported by 
the platform. 

Include the "TCPA Specification 
Version" attribute, with field values 
correctly reflecting the highest version 
of the TCPA specification with which 
the platform implementation 
conforms. 

If the TPM has been successfully 
evaluated against a Common Criteria 
protection profile, then include the 
TPM protection profile identifier 
attribute. 

If the TPM has been successfully 
evaluated against a Common Criteria 
security target, then include the TPM 
security target identifier attribute. 

If the RTM and the means by which 
the TPM and RTM have been 
incorporated into the platform have 
been successfully evaluated against a 
Common Criteria protection profile, 
then include the "foundation 
protection profile" identifier attribute. 

If the RTM and the means by which 
the TPM and RTM have been 
incorporated into the platlorm have 
been successfully evaluated against a 
Common Criteria security target, then 
include the "foundation security 
target" identifier attribute. 

If there is, or will be, a Platform 
Conformance Certificate, then a 
ConformanceCertificateLocation 
attribute should be included to 
indicate how, and from where, it can 
be retrieved. 

Optionally, include the "security 
qualities" attribute with a text string 
reflecting the security qualities of the 
platform. (Note: this is the platform 
distributed validation.) 

Omit. 



Assign "critical" the value TRUE. 



Transfer the object identifiers for any 
acceptable algorithms to the TPM identity 
certificate "subject directory attributes" 
extension. 

Check that the TCPA specification version is 
acceptable, else reject. 



Optionally, check whether the identifier is 
acceptable. Transfer the protection profile 
identifier to the TPM identity certificate. 



Optionally, check whether the identifier is 
acceptable. Transfer the security target 
identifier to the TPM identity certificate. 

Optionally, check whether the identifier is 
acceptable. Transfer the protection profile 
identifier to the TPM identity certificate 
"subject directory attributes" extension. 



Optionally, check whether the identifier is 
acceptable. Transfer the security target 
identifier to the TPM identity certificate 
"subject directory attributes" extension. 



Use the information to locate and retrieve the 
corresponding Platform Conformance 
Certificate. 



Optionally (and if present), check whether 
the platform implementation has acceptable 
security qualities. Transfer to the TPM 
identity certificate "subject directory 
attributes" extension. 

No action. 



Check that at least one acceptable 
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policies 


Assign policyldentifier at least one 
object identifier. Assign the cPSuri 
policy qualifier the value of an HTTP 
URL at which a plain language 
version of the platform manufacturer's 
certificate policy may be obtained. 
Assign the explicit text userNotice 
policy qualifier the value "TCPA 
Trusted Platform Endorsement". 


policyldentifier value is present. Transfer the 
policylnformation value to the TPM identity 
certificate "certificate policies" extension. 


Subject 

alternative 

name 


Assign "critical" the value FALSE. 
Include the Dlatform namp iminnpk/ 
identifying the type of the platform 
with RDNs for the manufacturer, 
model and version numbers. 


Check that the manufacturer, model and 
vt-;ibion numoers are accepiauie. I ranster to 
the TPM identity certificate "subject 
alternative name" extension. 


Authority key 
identifier 


Assign "critical" the value FALSE. 
Assign the value of "subject key 
identifier" from the platform 
endorsement entity certificate, if 
available, else omit. 


The certificate user may use this value to 
locate the certificate that contains a public 
key of the platform endorsement entity with 
which the'signature on this certificate can be 
verified. 


SOA Identifier 


Omit. 


No action. 


Authority 
Attribute 
Identifier 


Omit. 


No action. 


Role-' 

Specification 

Certificate 

Identifier 


Omit. 


No action. 


Basic Attribute 
Constraints 


Assign "critical" the value TRUE. 
Assign "authority" the value FALSE. 


Check that "authority" is FALSE. 


Delegated 

Name 

Constraints 


Omit. 


INU auiun. 


Time 

Specification 


Omit. 


No action. 


Acceptable 

Certificate 

Policies 


Assign "critical" the value TRUE. 
Assign one or more of the values of 
policyldentifier from the certificate 
policies extension of the TPM 
endorsement certificate. 


Check that the certificate policies extension 
of the TPM endorsement certificate contains 
at least one of the values. 1 


Attribute 
Descriptor 


Omit. 


No action. 


User Notice 


Omit. 


No action. 


No Rev 
Available 


Omit. 


No action. 


Acceptable 

Privilege 

Policies 


Omit. 


No action. 
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9.5.3 Instantiation of TPM_CONFORMANCE_CREDENT1AL 
Overview 

The Platform Conformance Certificate represents an assertion by the platform conformance entity that the 
referenced platform conforms with the TCPA specification. 

Profile 

Note: some fields are assigned a value even though the certificate user performs no action with that 
value. In such cases, the intention is to inhibit non-TCPA implementations from making inappropriate use 
of the certificate. 



In the case of the Platform conformance certificate, the issuer is the platform manufacturer and the user 
is a Privacy CA. 



Field 


Issuer action 


User action 


\/orcir>n 
V cl olUI 1 


A«;<;inn value 1 (v2.\ 


Check value = 1 , else reject. 


Holder 


Include the platform name, uniquely 
identifying the type of the platform 
with RDNs for the manufacturer, 
model and version numbers. 


Check that the value is the same as the 
value in the corresponding Platform 
Endorsement Certificate, Subject Alternative 
Name extension, else reject. 


Issuer 


The distinguished name of the 
platform conformance entity. That is 
the entity that asserts that the design 
of the platform conforms with the 
TCPA specification. (Note: this may 
be the platform manufacturer or a 
conformance test laboratory.) 


Check that the name is the name of one of 
the acceptable platform conformance 
entities. 


Signature 


Assign algorithm identifier sha- 

IWithRSAEncryption 

(1:2:840:113549:1:1:5). 


Check algorithm identifier = 
1:2:840:113549:1:1:5, else reject. Validate 
the signature on the certificate using the 
public key of the platform conformance entity 
(which should be a 2048-bit RSA key), 
obtained by an out-of-band means and 
referenced by "issuer" and "authority key 
identifier". 


Serial number 


Assign a value unique per evaluated 
series of a TBB amongst ail 
certificates issued by "issuer" 


No action. 


attrCertValidity 
Period 


Assign notBefore to the current time 
and notAfter to a later time (maybe 
the latest time permitted by the 
encoding scheme). 


Check that the current time is later than the 
notBefore time, else reject. 


Attributes 


Include a "supported algorithms" 
attribute (see X.509) indicating the 
algorithms supported by the platform. 


Transfer the object identifiers for any 
acceptable algorithms to the TPM identity 
certificate "subject directory attributes" 
extension. 




Include the "TCPA specification 
version" attribute, with field values 
correctly reflecting the highest version 
of the TCPA specification with which 
the platform implementation 


Check that the TCPA specification version is 
acceptable, else reject. 



Version 1.1a 1 December 2001 



1 



TCPA Main Specification „ 

Page 289 





'conforms. 






If the TPM has been successfully 
evaluated against a Common Criteria 
protection profile, then include the 
TPM protection profile identifier 
attribute. 


f Check that the identifier is acceptable. 
Transfer the protection profile identifier to the 
TPM identity certificate. J 




If the TPM has been successfully 
evaluated against a Common Criteria 
security target, then include the TPM 
security target identifier attribute. 


Check that the identifier is acceptable. 1 
Transfer the security target identifier to the 
TPM identity certificate. j 




If the RTM and means by which the 
RTM and TPM are incorporated into 
the platform has been successfully 
evaluated against a Common Criteria 
protection profile, then include the 
foundation protection profile identifier 
duriuuie. 


Check that the identifier is acceptable. 
Transfer the protection profile identifier to the 
TPM identity certificate "subject directory 
attributes" extension. 1 


1 '\ 


ii me t\ i ivi ana me means Dy which 
the RTM and TPM have been 
incorporated into the platform have 
been successfully evaluated against a 
Common Criteria security target, then 
include the foundation security target 
identifier attribute. 


Check that the identifier is acceptable. 1 
Transfer the security target identifier to the 
TPM identity certificate "subject directory 
attributes" extension. 1 


I Issuer unique 
J identifier 


Omit. 


No action. J 


I Extensions 






J Certificate 
1 policies 


Assign "critical" the value TRUE. 
Assign policyldentifier at least one 
object identifier. Assign the cPSuri 
policy qualifier the value of an HTTP 
URL at which a plain language 
version of the platform conformance 
entity's certificate policy may be 
obtained. Assign the explicit text 
userNotice policy qualifier the value 
"TCPA Conformance Credential". I 


Check that at least one acceptable 1 
policyldentifier value is present. Transfer the 1 
policylnformation value to the TPM identity 
certificate. j 


1 Subject 
j alternative 
j name 


Assign "critical" the value FALSE. 
Include the platform name, uniquely 
identifying the type of the platform 

With RDNS for thp ntatfnrm 

manufacturer, model and version 
numbers. ! 


Check that the manufacturer, model and J 
version numbers are identical to those in the 
platform endorsement certificate "subject 
alternative name" extension. 1 


1 Authority key 
1 identifier 
1 

I * 
I ( 


Assign "critical" the value FALSE. 
Assign the value of "subject key 
dentifier" from the platform 
:onformance entity's public-key \ 
:ertificate, if available, else omit. \ 


The certificate user may use this value to j 
ocate the certificate that contains a public 1 
key of the platform conformance entity with j 
which the signature on this certificate can be j 
✓erified. | 


SOA Identifier ( 


Dmit. j 


Mo action. I 
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Authority 


Omit. 


No action. 


Attribute 






Identifier 






Role 


Omit. 


No action. 


Specification 






Certificate 






Identifier 




Check that 


Basic Attribute 


Assign "critical" the value TRUE. 


Constraints 


Assign "authority" the value FALSE. 




Delegated 


Omit. 


No action. 


Name 






Constraints 






Time 


Omit. 


Nn srtinn 


Specification 






Acceptable 


Omit. 


No action. 


Certificate 






Policies 






Attribute 


Omit. 


No action. 


Descriptor 






User Notice 


Omit. 


No action. 


No Rev 


Omit. 


No action. 


Available 






Acceptable 


Omit. 


No action. 


Privilege 






Policies 
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9.5.4 Instantiation of VALIDATION_DATA 




Overview 



The validation data certificate represents an assertion by the component validation entity that the 
component instructions referenced by the certificate have the attributes conveyed in the certificate. The 
certificate syntax conforms with the X.509 definition for an attribute certificate. 



In the case of the validation certificate, the issuer is the Validation Entity and the user is a TPS. 



Field 


Issuer action 


User action 


Version 


Assign value 1 (v2). 


Check value = 1, else reject. 


Holder 


ObjectDigestlnfo with missing object 
identifier. The value of objectDigest shall 

Ha thp HiopqI r^alfi ilat^H nvpr thp mpmon/ 
uc ii ic uiucoi uciiuuiciicu uvci ii ic iiiciNUiy 

image of the software instructions using 
the identified digest algorithm. 


Calculate the digest of the memory 
image of the software instructions and 
uritJOK nidi ii is ruenucai to xne vaiue in 
this field prior to passing control to the 
component, else reject. 


tcci ipr 

IOOU w 1 


i tic vjioui lyuioi icu i ionic up ii ic 

component validation entity. That is the 
entity that asserts that the component 
exhibits the attributes contained in the 
certificate. (Note: typically, but not 
necessarily, the manufacturer of the 
component). 


('hprl^ fhsjf 4 l*i o nomo io iha noma r\f r\r\a 

\-*iicoi\ u idi lut? name ic> ins name ut one 
of the acceptable component validation 
entities. 


Signature 


Assign algorithm identifier sha- 

IWithRSAEncryption 

(1:2:840:113549:1:1:5). 


Check algorithm identifier = 
1:2:840:113549:1:1:5, else reject. 
Validate the signature on the certificate 
using the public key of the software 
manufacturer (which should be a 2048-bit 
RSA key), obtained by an out-of-band 
means and referenced by "issuer" and 
"authority key identifier". 


Serial number 


Assign a value unique amongst all 
certificates issued by "issuer". 
Uniqueness to be determined by the 
manufacturer. 


No action. 


attrCertValidityPe 
riod 


Assign notBefore to the current time and 
notAfter to a later time (maybe the latest 
time permitted by the encoding scheme). 


Check that the current time is later than 
the notBefore time, else reject. 


Attributes 


Include the 'TCPA specification version" 
attribute, with field values correctly 
reflecting the highest version of the 
TCPA specification with which the 
component conforms. 


Check that the TCPA specification 
version is acceptable, else reject. 




Optionally, include the "security qualities" 
attribute with a text string reflecting the 
security qualities of the component. 
(Note: this is the component distributed 


Optionally (and if present), check 
whether the component implementation 
has acceptable security qualities. 
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Issuer unique 
identifier 


Omit. 


No action. 


Extensions 






Certificate 
policies 


Assign "critical" the value TRUE. Assign 
policyldentifier at least one object 
identifier. Assign the cPSuri policy 
qualifier the value of an HTTP URL at 
which a plain language version of the 
component conformance entity's 
certificate policy may be obtained. 
Assign the explicit text userNotice policy 
qualifier the value "TCPA Validation 
Data". 


Check that at least one accepiauie 
policyldentifier value is present. 


Subject 

Alternative Name 


Acrcinn "rritical" the value FALSE. 
Include the component name, using the 
"component name" attribute, with RDNs 
for the component manufacturer, model 
and version numbers. 


May be used to determine whether or not 
the component is trustworthy. 


Authority key 
identifier ^ 


Assign "critical" the value FALSE. Assign 
the value of "subject key identifier" from 
the component validation entity 
certificate, if available, else omit. 


The certnicate user may use mis vaiue 10 
locate the certificate that contains a 
public key of the component validation 
entity with which the signature on this 
certificate can be verified. 


SOA Identifier 


Omit. 


No action. 


Authority 
Attribute 

Irlonlifipr 

lUCl III 1 ICI 


Omit. 


No action. 


Role 

Sneciftcation 

Certificate 

Identifier 


Omit. 


No action. 


Basic Attribute 
Constraints 


Assign "critical" the value TRUE. Assign 
"authority" the value FALSE. 


Check that "authority" is FALSE. 


Delegated Name 
Constraints 


Omit. 


No action. 


Time 

Specification 


Omit. 


No action. 


Acceptable 

Certificate 

Policies 


Omit. 


No action. 


Attribute 
Descriptor 


Omit. 


No action. 


User Notice 


Omit. 


No action. 


No Rev Available 


Omit. 


No action. 


Acceptable 


Omit. 


No action. 
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9.5.5 Instantiation of TPM_IDENTITY_CREDENTIAL 




If the data structure <TPM identity certificate> is stored on a platform after an Owner has taken ownership 
of that platform, it SHALL exist only in storage to which access is controlled and is available to authorized 
entities. 
Overview 

The TPM identity certificate represents an assertion by the Privacy CA that the referenced TPM identity is 
controlled by a TPM that conforms with the TPM specification. It contains a different public key to that 
contained in the TPM endorsement certificate, but it contains identifying and policy information transferred 
from the TPM endorsement, platform endorsement and platform conformance certificates. 

Profile 

Note: 

• Some fields are assigned a value even though the certificate user performs no action with that 
value. In such cases, the intention is to inhibit non-TCPA implementations from making 
inappropriate use of the certificate. 

• The policies identified in the TPM and platform certificates are represented by oids and are not 
distinguishable except by reference to the contents of the policies themselves. The verifier, 
however, must be able to distinguish between the different policy types. 

In the case of the TPM identity certificate, the issuer is the Privacy CA and the user is an integrity 
verifier. 



Field 


Issuer action 


User action 


Version 


Assign value 2 (v3). 


Check value = 2, else reject. 


Serial number 


Assign a value unique amongst all 
certificates issued by "issuer". 


No action. 


Signature 


Assign algorithm identifier sha- 

IWithRSAEncryption 

(1:2:840:113549:1:1:5). 


Check the algorithm identifier 
1:2:840:113549:1:1:5, else reject. Validate 
the signature on the certificate using the 
public key of the Privacy CA (which should 
be a 2048-bit RSA key), obtained by an out- 
of-band means and referenced by "issuer" 
and "authority key identifier". 


Issuer 


The distinguished name of the Privacy 
CA. 


Check that the name is the name of an 
acceptable Privacy CA. 


Validity 


Assign notBefore to the current time 
and notAfter to a later time (maybe 
the latest time permitted by the 
encoding scheme). 


Check that the current time is later than the 
notBefore time, else reject. 


Subject 
Subject public 


NULL. 

Assign alqorithm identifier sha- 


No action. 

Check alqorithm identifier = 
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key info 




IWithRSAEncryption 
(1:2:840:113549:1:1:5). The 2048-bit 
RSA public key provided to the 
Privacy CA by the TPM owner in the 
identity request message. 


1:2:840:113549:1:1:5, else reject. Use the 
public key in the integrity verification 
procedure. 


Issuer unique 
identifier 


Omit. 


No action. 


Subject 

unique 

identifier 




Omit. 


No action. 


Extensions 






Authority 
identifier 


key 


Assign critical the value FALSE. 
Assign the value of "subject key 
identifier" from the Privacy CA's 
public-key certificate, if available, else 
omit. 


The certificate user may use this value to 
locate the certificate that contains a public 
key of the Privacv CA with which the 

W J * " » 9 1 W %gM \f V^/ i \ Willi VVIIIVII II Iw 

signature on this certificate can be verified. 


Subject 
identifier 


key 


Omit. 


No action. 


Key usage 




May be omitted. If included, then the 
digital signature bit shall be set TRUE. 


If present, then check that the digital 
signature bit is TRUE, else reject. 


Extended 
usage 


key 


Omit. 


If present and marked critical, then reject. 


Private key 
usage period 


Omit. 


If present, then check that the current time is 
later than the nolBefore time, else reject. 


Certificate 
policies 




Assign "critical" the value TRUE. 
Assign policyldentifier at least one 
object identifier. Optionally, assign 
the cPSuri the value of an HTTP URL 
at which a plain language version of 
the Privacy CA s certificate policy may 
be obtained. Assign the explicit text 
userNotice policy qualifier the value 
"TCPA Trusted Platform Identity". 
Also, include the policylnformation 
values from the certificate policies 
extensions of the TPM endorsement 
and platform endorsement and 
conformance certificates provided in 
the TPM identity request message. 


Check that at least one acceptable Privacy 
CA policyldentifier value is present. 
Optionally, check that at least one 
acceptable TPM endorsement, one 
acceptable platform endorsement and one 
acceptable platform conformance 
policyldentifier value are present. 


Policy 
mappings 




Omit. 


No action. 


Subject 

alternative 

name 




Assign "critical" the value FALSE. 
Include three values in the extension: 

The TPM manufacturer, model and 
version numbers from the TPM 
endorsement certificate "subject 
alternative name" extension provided 
in the TPM identity request message; 

The platform manufacturer, model 


Check that the manufacturer, model and 
version numbers of the TPM and of the 
platform are acceptable. 
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Issuer 

alternative 

name 

Subject 

directory 

attributes 



and version numbers from - the 
platform endorsement certificate 
"subject alternative name" extension 
provided in the TPM identity request 
message; and 

The TPM identity label provided to the 
Privacy CA by the TPM owner in the 
identity request message, encoded as 
a TPMIdLabel other-name. The TPM 
owner should choose a label syntax 
and semantics that are understood by 
the integrity verifier. (Note: the 
specified syntax accommodates multi- 
byte character sets). 

Omit. 



Assign "critical" the value FALSE, 
include a multi-valued "supported 
algorithms" (see X.509) attribute 
containing object identifiers from the 
"subject directory attributes" extension 
of the TPM endorsement certificate 
and the "attributes" field of the 
platform endorsement certificate and 
the platform conformance certificate 
provided in the TPM identity request 
message. 

Include the single-valued "TPM 
protection profile" attribute from the 
platform endorsement certificate 
provided in the TPM identity request 
message. 

Include the single-valued "TPM 
security target" attribute from the 
platform endorsement certificate 
provided in the TPM identity request 
message. 

Include the single-valued "Foundation 
protection profile" attribute from the 
platform endorsement certificate 
provided in the TPM identity request 
message. 

Include the single-valued "Foundation 
security target" attribute from the 
platform endorsement certificate 
provided in the TPM identity request 
message. 

Include the "security qualities" 
attribute from the TPM endorsement 
certificate provided in the TPM identity 
request message. (Note: this is the 



No action. 



Adapt the integrity verification protocol to use 
only algorithms supported by the TPM and 
the associated platform. 



Check that the identifier is acceptable. 



Check that the identifier is acceptable. 



Check that the identifier is acceptable. 



Check that the identifier is acceptable. 



Optionally (and if present), check whether 
the TPM has acceptable security qualities. 
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TPM distributed validation ^ 






Include the "security qualities" 

off rjKi j4q f mm <ho r\lo+frtrr« 

du| ' uui " irom me platform 
endorsement certificate provided in 
the TPM identity request message. 
(Note: this is the platform distributed 
validation.) 


Optionally (and if present), check whether 
the platform has acceptable security 
qualities. 

■ ' ■ ■ ' " • ■ •■ --■ — 




Include the "tcpaVersion" attribute 
provided in the TPM identity request 


Check that the TCPA specification version is 
acceptable, else reject. 


Basic 

constraints 


Assign "critical" the value TRUE. 
Assign "CA" the value FALSE. 


No action. 


Name 
constraints 


Omit. 




Policy 
constraints 


Omit. 


No action. 


Inhibit any 
policy 


Omit. 


No action. 


CRL 

distribution 
points 


Omit. 


If present and marked critical, then reject. 
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9.5.6 ASN.1 Definitions 




The syntax of the "security qualities" attribute is as follows: 

SecurityQualities ATTRIBUTE { 

WITH SYNTAX SecurityQualities 
ID tcpa- tpmSecurityQualities } 

SecurityQualities = SEQUENCE { 

version INTEGER, for this version of the attribute syntax -- 

statement [0] UTF8String } 

Note: future versions of this certificate profile may define additional, optional, "security qualities" fields 

Inclusion of the "statement" field will remain mandatory. 

The syntax of the "TCPA Specification Version" attribute is as follows: 

TCPASpecVersion ATTRIBUTE ::= { 

WITH SYNTAX TCPASpecVersion 
ID tcpa-specVersion } 

TCPASpecVersion ::= SEQUENCE { 
major INTEGER, 
minor INTEGER } 

The syntax of the protection profile and security target attributes is as follows: 

TPMProtectionProf ile ATTRIBUTE { 
WITH SYNTAX Prot ec tionProf ile 
ID tcpa-at-tpmProtectionProfile } 

TPMSecurityTarget ATTRIBUTE ::= { 
WITH SYNTAX Securi tyTarget 
ID tcpa-at- tpmSecurityTarget } 

FoundationProtectionProfile ATTRIBUTE { 
WITH SYNTAX Prot ect ionProf i le 
ID tcpa-at-f oundationProtectionProf ile } 

FoundationSecurityTarget ATTRIBUTE { 
WITH SYNTAX Securi tyTarget 
ID tcpa-at-f oundationSecurityTarget } 
ProtectionProf ile ::= OBJECT IDENTIFIER 
SecurityTarget ::= OBJECT IDENTIFIER 

The syntax of the "component name" attribute is as follows: 

ComponentName ATTRIBUTE ::= { 
WITH SYNTAX Name 
ID tcpa- at -componentName } 
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The following definitions define the syntax of the RDNs used in the subject alternative name extension to 
identify the type of the TPM and the platform. 

TpmManuf ac turer ATTRIBUTE ::= { 
WITH SYNTAX UTF8String 
ID tcpa-at- tpmManuf acturer } 

TpmModel ATTRIBUTE : : = { 

WITH SYNTAX UTF8String 
ID tcpa-at-tpmModel } 

TpmVersion ATTRIBUTE { 

WITH SYNTAX UTF8String 
^ ID tcpa-at- tpmVer si on } 

PlatformManuf acturer 1 ATTRIBUTE { 
WITH SYNTAX XJTF8 String 
ID tcpa-at-platf ormManuf acturer } 

PlatformModel ATTRIBUTE ::= { 
WITH SYNTAX UTF8String 
ID tcpa- at-platf ormModel } 

PlatformVersion ATTRIBUTE ::= { 

WITH SYNTAX UTF8String ^ 
ID tcpa-at-platf ormVersion } 

TPMIdLabel OTHER-NAME : : = {UTFSString IDENTIFIED BY { tcpa - at - tpmldLabel } } 



-Object identifier assignments — 

tc P a OBJECT IDENTIFIER 

tcpa-specVersion OBJECT IDENTIFIER 

tcpa-attribute OBJECT IDENTIFIER 

tcpa-protocol OBJECT IDENTIFIER 

tcpa-at- tpmManuf acturer OBJECT IDENTIFIER 

tcpa-at-tpmModel OBJECT IDENTIFIER 

tcpa-at- tpmVers ion OBJECT IDENTIFIER 

tcpa-at-platf ormManuf acturer OBJECT IDENTIFIER 

tcpa-at-platf ormModel OBJECT IDENTIFIER 

tcpa-at-platf ormVersion OBJECT IDENTIFIER 

tcpa-a t-componentManuf acturer OBJECT IDENTIFIER 

tcpa - a t - componen tModel OBJECT IDENTIFIER 

tcpa- at-componentVersion OBJECT IDENTIFIER 

tcpa-at-securityQualities OBJECT IDENTIFIER 

tcpa-at- tpmProtectionProfile OBJECT IDENTIFIER 

tcpa-at- tpmSecurityTarget OBJECT IDENTIFIER 
tcpa-at-foundationProtectionProf ile OBJECT IDENTIFIER 
tcpa-at-f oundationSecurityTarget OBJECT IDENTIFIER 

tcpa-at- tpmldLabel OBJECT IDENTIFIER 

tcpa-prt- tpmldProtocol OBJECT IDENTIFIER 



{TBD} 
{ tcpa 
{tcpa 
{tcpa 
{tcpa 
{tcpa 
{ tcpa 
{tcpa 
{ tcpa 
{tcpa 
{tcpa- 
{tcpa- 
{tcpa- 
{ tcpa- 
{tcpa- 
{tcpa- 
{ tcpa- 
{tcpa- 
{tcpa- 
{ tcpa- 



-1} 

-2} 
-3} 

-attribute l} 
-attribute 2} 
-attribute 3} 
-attribute 4} 
-attribute 5} 
-attribute 6} 
-attribute 7} 
-attribute 8} 
-attribute 9} 
-attribute 10} 
-attribute 11} 
-attribute 12} 
attribute 13} 
attribute 14} 
attribute 15} 



protocol 1} 
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10. Conformance Criteria 
10.1 Base Levels for Interoperability 




The alaorithms and protocols in this specification are the REQUIRED algorithms and protocols A TPM 
LbsyS MAY support additional algorithms and protocols^hen this specification specifies the use of 
the TSS for a feature, an implementation MAY place the feature in the TPM. 

The interoperability requirements shall be implemented at the TSS layer not the TPM_ II I is the 
esponsibility of the TPM manufacturer to produce a vendor specf.c byte stream generator. The TSS will 
provide a generic API that all applications for a specific platform (PC. PDA, etc) can use. 
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10.2 Conformance Specification Sheet 
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10.3 Protocol Negotiation and Algorithm Agility 



mm m*<^ «asn«w* mi 



The TPM MUST support the base algorithms specified for each operation. The TPM MAY support 
additional algorithms and parameters. 

The TPM manufacturer MUST include in the TPM credential all algorithms that the TPM supports. 
The TSS manufacturer MUST include in the platform credential all algorithms that the TSS supports. 
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10.4 Cryptographic Algorithms and Protocols 




10.4.1 Asymmetric 

HI 




• The TPM MUST support RSA. 

• The TPM MUST use the RSA algorithm for encryption and digital signatures. 

. The TPM MUST support key sizes of 512, 1024, and 2048 bits. The TPM MAY support other key 
sizes. The minimum RECOMMENDED key size is 1024 bits. 

• The RSA public exponent MUST be e, where e = 2 16 +1. 

I^nfh^rp? 81 C ? T 85 !f e RSA im P lementati ™ MUST provide protection and detection of failures 
during the CRT process to avoid attacks on the private key. 

The TPM MAY implement other asymmetric algorithms such as DSA or elliptic curve. These algorithms 
may be in use for wrapping, signatures, and other operations. There is no guarantee that these kevs can 

S31£ TPM devices or that ° 1her TPM devices wi,! accept signatures ^^SS^Si 

NO?S! Sl^ 1 ! 51 " b K ° f S ? n9t H * quiva u lenl to a 2048 bits RSA key or greater. The TPM SHALL 
NOT load a Storage key whose strength less than that of a 2048 bits RSA key. 

All TPM Identity keys MUST be of strength equivalent to a 2048 bits RSA key, or greater. 
10.4.2 Symmetric 
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The TSS MUST support 3DES. 3DES SHOULD be the symmetric algorithm of choice. The! key size _of 
3DES MUST be 196 5 bits (three 64-bit keys). 3DES MUST be run in encrypt-decrypt-encrypt (EDE) mode. 
The TSS MUST provide detection of weak 3DES keys. 

The TSS MUST support DES. The key size for DES MUST be 64 bits (56 bits plus parity). The TSS 

MUST provide detection of weak DES keys. 

the TSS SHOUTD~have support for AES when it becomes available. 

A TPM MUST support the storage of at least 256-bit symmetric keys. 

10.4.3 Hashing 

The TPM MUST support the SHA-1 hash algorithm as defined by FIPS-180-1 The .output of SHA-1 is 160 
• bL and an areas that expect a hash value are REQUIRED to support the full 160 brts. 

10.4.4 Signature Operations 

The TPM MUST use the RSA algorithm for signature operations. 

The TPM MAY use other asymmetric algorithms for signatures; however, there is no requirement that any 

other TPM device either accept or verify those signatures. 

The TPM MUST use P1363 for the format and design of the signature output. 
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10.4.5 Creating a PCR composite hash 

The definition specifies the operation necessary to create TCPA_COMPOSITE_HASH. 
Action 

The hashing MUST be done using the SHA-1 algorithm. 
The input must be a valid TCPA_PCR_SELECTION structure. 

The process creates a TCPA_PCR_COMPOSITE structure from the TCPA_PCR_SELECTION structure 
and the PCR values to be hashed. If constructed by the TPM the values MUST come from the current 
PCR registers indicated by the PCR indices in the TCPA_PCR_SELECTION structure. 

The process then computes a SHA-1 digest of the TCPA_PCR_COMPOSITE structure. 

The output is the SHA-1 digest just computed. 

10.4.6 Creating TCPA_CHOSENID_HASH 

This definition specifies the operation necessary to 'create a TCPA_CHOSENID_HASH structure. 
Parameters 



Type 


Name 


Description 


BYTE [] 


identityLabel 


The label chosen for a new TPM identity 


TCPA_PUBKEY 


privacyCA 


The public key of a privacy CA chosen to 
attest to a new TPM identity 



Action 

The hashing MUST be done using the SHA-1 algorithm. 

The process concatenates identityLabel and privacyCA (identityLabel followed by privacyCA) and 
computes a SHA-1 digest of the concatenated data. 

The output is the SHA-1 digest just computed. 
10.4.7 Using Secret Keys 




A secret key is a key that is a private asymmetric key or a symmetric key. 

Data SHOULD NOT be used as a secret key by a TCPA protected capability unless that data has been 
extant only in a shielded location. 

A key generated by a TCPA protected capability SHALL NOT be used as a secret key unless that key 
has been extant only in a shielded location. 

A secret key obtained by a TCPA protected capability from a Protected Storage blob SHALL be extant 
only in a shielded location. 
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10.5 Random Number Generator (RNG) 




The RNG for the TPM will consist of the following components: 

• Entropy source and collector 

• State register 

• Mixing function 

The RNG capability is a TPM-protected capability with no access control. 

The RNG~ output may or may not be shielded data. When the data is for internal use by the TPM (e.g., 
Lymmetric key generation) the data MUST be held in a shielded location. When the data is for use by 
the TSS or another external caller, the data is not shielded. "v. 

10.5.1 Entropy Source and Collector 




The entropy source MUST provide entropy to the state register in a manner that provides en^opy th at is 
not visible to an outside process. For compliance purposes, the entropy source MAY be in the TSS and 
not the TPM; however, attention MUST be paid to the reporting mechanism. 

The entropy source MUST provide the information only to the state register. The entropy source may 
provide information that has a bias, so the entropy collector must remove the bias before updating the 
state register The bias removal could use the mixing function or a function specifically designed to 
handle the bias of the entropy source. The entropy source can be a single device (such as hardware 
noise) or a combination of events (such as disk timings). It is the responsibility of the entropy collector to 
update the state register whenever the collector has additional entropy. 



10.5.2 State Register 



jtecyste| 



\ej:no.D^au^eglste 



Version 1.1a 1 December 2001 



TCPA Main Specification 



Page 307 




The state register is in a TPM-shielded location. The state register MUST be non-volatile. The update 
function to the state register is a TPM-protected capability. The primary input to the update function 
SHOULD be the entropy collector. 

If the current value of the state register is unknown, calls made to the update function with known data 
MUST NOT result in the state register ending up in a state that an attacker could know. This requirement 
implies that the addition of known data MUST NOT result in a decrease in the entropy of the state 
register. 

The TPM MUST NOT export the state register. 
10.5.3 Mixing Function 




Each use of the mixing function MUST affect the state register. This requirement is to affect the volatile 
register and does not need to affect the non-volatile state register. 

10.5.4 RNG Reset 



The RNG MUST NOT output any bits after a system reset until the following occurs: 

• The entropy collector performs an update on the state register. This does not include the adding of 
the previous state but requires at least one bit of entropy. 

• The mixing function performs a self-test. This self-test MUST occur after the loading of the previous 
state. It MAY occur before the entropy collector performs the first update. 
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10.6.1 Asymmetric 

The TPM MUST generate asymmetric key pairs. The generate function is a protected capability and the 
private key is held in a shielded location. The implementation of the generate function MUST be in 
accordance with P1 363. 

The prime-number testing for the RSA algorithm MUST use the definitions of P1 363 If additional 
asymmetric algorithms are available, they MUST use the definitions from P1363 for the underlying basis 
of the asymmetric key (for example, elliptic curve fitting). 

10.6.2 Symmetric 

The TSS MUST generate a symmetric key by taking the next n bits from the TPM RNG. 

The TSS SHOULD provide any processing of a symmetric key. Processing is an algorithm-specific 

operation and implementation is left to the designer. 

10.6.3 Nonce Creation 

The creation of all nonce values MUST use the next n bits from the TPM RNG. 
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10.7 Auditing 




The TPM MUST be able to generate audit events for all TCPA protected capabilities. 



The TPM Owner MUST be able to select the functions that will generate an audit event at any time. 

The TPM MUST provide a PCR to store and log the audit events. The TPM MUST allow for the reporting 
of the current audit log PCR value. The value that the TPM adds to the TPM audit PCR MUST be the 
TCPA_AUDIT_ EVENT structure. •- 

The TSS MUST provide a log of all TPM-generated events. The TPM will generate the event and the TSS 
will fill in the event details. The TPM SHALL provide as much detail as it has available; however, the TSS 
MUST fill in all remaining details for the audit event. For instance, the audit event will require a data and 
time stamp on the event. There is no requirement for a clock function in the TPM, so the date and time 
would come normally from the TSS. 

The TPM MAY generate audit events for other functions and activities not on this list. 



Version 1.1a 1 December 2001 



TCPA Main Specification 



Page 310 



10.8 Self-Tests 

The TPM MUST provide startup self-tests. The TPM MUST provide mechanisms to allow the self-tests to 
be run on demand. The response from the self-tests is pass or fail. 

The TPM MUST complete the startup self-tests in a manner and timeliness that allows the TPM to be of 
use to the BIOS during the collection of integrity metrics. The TPM MUST complete the requ.red checks 
before a given feature is in use. This requirement allows the TPM to test the .ntegnty metnc storage and 
allow its use while simultaneously continuing to test the signature engine. 

There are two sections of startup self-tests: required and recommended. The recommended tests are not 
a requirement due to timing constraints. The TPM manufacturer should perform as many tests as poss.ble 
in the time constraints. 

The TPM MUST report the tests that it performs. 

The TPM MUST provide a mechanism to allow self-test to execute on request by any Challenger. 
The TPM MUST provide for testing of some operations during each execution of the operation. 

10.8.1 Required Self-Tests 

The TPM MUST check the following: 

. RNG functionality. This test follows FIPS 140-1 , which checks the functioning of an RNG. 

. Reading and extending the integrity registers. The self-test for the integrity registers will leave the 

integrity registers in a known state. 
. Testing the endorsement key pair integrity, if they exist. This requirement specifies that the TPM will 

verify that the endorsement key pair can sign and verify a known value. Th^ test also _tests the I RSA 

sign and verify engine. If an endorsement key has not yet been generated the TPM act.on is 

manufacturer specific. 

. The integrity of the protected capabilities of the TPM. This means that the TPM must ensure that its 
•microcode" has not changed, and not that a test must be run on each function. 

. Any tamper-resistance markers. The tests on the tamper-resistance or tamper-evident markers are 
under programmable control. There is no requirement to check tamper-evident tape or the status of 
epoxy surrounding the case. 

10.8.2 Recommended Checks 

The TPM SHOULD check the following: . 

. The hash functionality This check will hash a known value and compare it to an expected result 
^?n?^3^rt to accept external data to perform the check. The TPM MAY support a test 
using external data. 

. Any symmetric algorithms. This check will use known data with a random key to encrypt and decrypt 
the data. 

. Any additional asymmetric algorithms. This check will use known data to encrypt and decrypt. 
. The key-wrapping mechanism. The TPM should wrap and unwrap a key. The TPM MUST NOT use 
the endorsement key pair for this test. 

10.8.3 Self-Test Failure 

When the TPM detects a failure during any self-test, the part experiencing the failure MUST enter a shut- 
down mode. This shut-down mode will allow only the following operation to occur: 
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• Update. The update function MAY replace invalid microcode, providing that the parts of the TPM that 
provide update functionality have passed self-test. 

All other operations will return the error code TCPA_FAILEDSELFTEST. 

10.9 Object Reuse 

The TPM MUST destroy and erase ail temporal objects when the TPM finishes processing the object The 
use of an object can be a long-term operation. For instance, the TPM could load an identity key and keep 
the. key in memory while performing multiple challenge and response operations. There is no requirement 
to unload the object after each operation, but there is a requirement that the object be properly disposed 
of when all operations are complete. . 

When an internal TPM process uses objects, no information regarding the object may be available to 
outside processes. The TPM MUST enforce access control to all objects carrying sensitive information. 

10.f0Maintenance 




The maintenance feature MUST ensure that the information can be on only one TPM at a time 
Maintenance MUST ensure that at no time the process will expose a shielded location. Maintenance 
MUST require the active participation of the Owner. 

10.11 Backup 




The TPM MUST support the backup feature. The TPM MUST create a blob of migratable data that is 
readable by any other TPM. A receiving TPM MAY reject a backup blob ff the underlying information is a 
non-standard size or algorithm. 

10.12Strength of Function 
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The TPM MUST report the SOF values to a Challenger and the SOF values MUST be part of the TPM 
endorsement certificate and the platform conformance certificate. 

10.1 3 Physical Protection 




TPM MUST satisfy the FIPS 140-1 (or it's successor) level 2 physical security requirements, or ifs 
equivalent. 

10.14Protection Profile ^ 
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10.15Compliance to Specification 



10.1 6 Field Upgrade 




The TPM SHOULD have provisions for upgrading the subsystem after shipment from the manufacturer. If 
provided the mechanism MUST follow the requirement from section 8.16 . 



10.1 7 Physical Presence or Access 
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The requirement for physical presence MUST be met by the platform manufacturer using some physical 
mechanism. 

10.17.1 TSC_PhysicaIPresence 




Type 

TCPA connection capability. Optional function this functionality can be implemented by any vendor 
specific command 



Incoming Operands and Sizes 



PARAM 


HMAC 


Type 


Name 


Description 


# 


SZ 




SZ 




1 


2 






TCPAJTAG 


tag 


TPM_TAGJ*QU_COMMAND 


2 


4 






U1NT32 


paramSize 


Total number of input bytes induding paramSize and tag 


3 


4 






TCPA_COMMAND_CODE 


ordinal 


Command ordinal, fixed value of 
TSC_ORD_Physica!Presence. 


4 


2 






TCPA PHYSICAL. 
PRESENCE 


physicalPresence 


The state to set the TPM's Physical Presence flags. 


Outgoing Operands and Sizes 


PARAM 


HMAC 


Type 


Name 


Description 


# 


SZ 


# 


SZ 
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1 


2 






TCPAJTAG 


lag 


T PM_TAG_RSP_COM MAND 


2 


4 






UINT32 


paramSize 


Total number of output bytes including paramSize and tag 


3 


4 






TCPA.RESULT 


returnCode 


The return code of the operation. See section 4.3 of Main 
Specification. ^ 



Descriptions 

This command must implemented in the TPM, however support for all of the bits is optional. 

The operation sets the state of the physicalPresenceLifetimeLock, physicalPresenceHW Enable, and 
physicalPresenceCMDEnable flags to indicate how physical presence is to be indicated. It also sets the 
PhysicalPresence and PhysicalPresenceLock flags, if enabled, during operation of the Platform to 
indicate physical presence. This is a bit mask allowing a combination of flags to be set in a single 
operation. 

Note: The TPM_PhysicalEnabIe requires unambiguous evidence of the presence of physical access. This 
is a higher level of proof than the other "physical presence" commands. A PhysicalPresence flag set to 
TRUE, SHALL NOT be sufficient proof to permit execution of TPM_PhysicalEnable unless it is impossible 
for software to subvert the TSCLPhysicalPresence command. 

Actions 

1. This operation MUST be implemented to process the values in the following order: 

a. physicalPresenceHWEnable and physicalPresenceCMDEnable 

b. physicalPresenceLifetimeLock 

c. PhysicalPresence 

d. PhysicalPresenceLock 

2. Once the PhysicalPresenceLock flag is set to TRUE, the TPM MUST not modify the 
PhysicalPresence flag until a TPMJnit followed by TPM_Startup(stType = TCPA_ST_CLEAR). Upon 
a TPMJnit and TPM_Startup(stType = TCPA_ST_STATE) the TPM MUST set the 
PhysicalPresenceLock flag to FALSE. 

3. If the PhysicalPresenceLock flag is set to TRUE upon any call to this operation, the TPM MUST 
cause no action and MUST return the error TCPA_BAD_PARAMETER. 
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10.18Other Specifications 




Individual manufacturers MAY do the additional design and testing to obtain a FIPS 140 certification, but 
there is no requirement that a TCPA device obtain this testing. 



Specifications or standards included in this specification 

• PKCS#1: RSA Data Security, Inc. Public-Key Cryptography Standards (PKCS) Version 2.0 

o RSAES_OAEP (2.0) 
o RSASSA-PKCS1-v1_5 

• ITU-T Recommendation X.509 | ISO/IEC 9594-8: "Information technology - Open Systems 
Interconnection - The Directory: Public-key and attribute certificate frameworks", 4 th Edition. 

• DES/3DES: Data Encryption Standard FIPS 46-3 (DES) : National Institute of Standards, and 
Technology 

• ASN.1: Abstract Syntax Notation One : ITU-T Recommendations X.680-X.683 

• FIPS 140-1: Federal Information Processing Standards Publication 140-1 "Security Requirements 
for Cryptographic Modules" 

• BER: Basic Encoding Rules : ITU-T Recommendation X.690-691 (1997) 

• ISO 15408 (Common Criteria) 

• SHA-1: Secure Hash Algorithm : NIST FIPS PUB 180-1, "Secure Hash Standard," : National 
Institute of Standards and Technology 

. RFC 2104 (HMAC) 
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Appendix A: Glossary 

3DES 

DES using a key of a size that is 3X the size that of a DES key. See DES. 
Blob 

Opaque data of fixed or variable size. The meaning and interpretation of the data is outside the scope 
and context of the Subsystem. 

Challenger 

An entity that requests and has the ability to interpret integrity metrics from a Subsystem. 
Conformance Credential 

A credential that states the conformance to the TCPA specification of: the TPM; the method of 
incorporation of the TPM into the platform; the RTM; and the method of incorporation of the RTM into the 
platform. 

Denial-of-service attack 

A attack on a system (or subsystem) which has no affect on information except to prevent its use. 
DES 

Symmetric key encryption using a key size of 56 bits defined by NIST as FIPS 46-3. Reference 
http://csrc.ncsl.nist.QOv/cryptval/des.htm . 

Endorsement Credential 

A credential containing a public key (the endorsement public key) that was generated by a genuine TPM. 
Endorsement Key 

A term used ambiguously, depending on context, to mean a pair of keys, or the public key of that pair, or 
the private key of that pair; an asymmetric key pair generated by a TPM that is used as proof that a TPM 
is a genuine TPM; the public endorsement key (PUBEK); the private endorsement key (PRIVEK). 

Identity Credential 

A credential issued by a Privacy CA that provides an identity for the TPM. 
Integrity metric(s) 

Values that are the results of measurements on the integrity of the platform. 
Man-in-the-middle attack 

An attack by an entity intercepting communications between two others without their knowledge and by 
intercepting that communication is able to obtain or modify the information between them. 

Migratable 

A key which may be transported outside the specific TPM. 
Non-Migratable 

A key which cannot be transported outside a specific TPM; a key that is (statistically) unique to a 
particular TPM. 

Non-Volatile 

Storage location or memory that retain their values after power-off or a TPMJnit function. 
Owner 

The entity that owns the platform in which a TPM is installed. Since there is, by definition, a one-to-one 
relationship between the TPM and the platform, the Owner is also the Owner of the TPM. The Owner of 
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the platform is not necessarily the "user" of the platform (e.g., in a corporation, the Owner of the platform 
might be the IT department while the user is an employee.) The Owner has administration rights over the 
TPM. 

PKI Identity Protocol 

The protocol used to insert anonymous identities into the TPM. 
Platform Credential 

A credential that states that a specific platform contains a genuine TCPA Subsystem. 
POST 

POST refers to the Power On Self Test performed by a PC. 
Protection Profile 

A document that defines all attacks and how they are resisted by the TPM, the RTM, and the methods by 
which they are incorporated into the platform. 

Privacy CA 

An entity that issues an Identity Credential for a TPM based on trust in the entities that vouch for the TPM 
via the Endorsement Credential, the Conformance Credential, and the Platform Credential. 

Private Endorsement Key (PRIVEK) 

The private key of the key pair that proves that a TPM is a genuine TPM. The PRIVEK is (statistically) 
unique to only one TPM. 

Public Endorsement Key (PUBEK) 

A public key that proves that a TPM is a genuine TPM. The PUBEK is (statistically) unique to only one 
TPM. 

Random number generator (RNG) 

A pseudo-random number generator that must be initialized with unpredictable data and provides, 
"random" numbers on demand. 

Root of Trust for Measurement (RTM) 

The point from which all trust in the measurement process is predicated. The RTM contains many 
components to provide this level of trust. The design document shows that the RTM includes a core 
component, the computing engine to run the core component, physical connections of the core and the 
computing engine and other items. 

Root of Trust for Reporting (RTR) 

The point from which all trust in reporting of measured information is predicated. 
Root of Trust for Storing (RTS) 

The point from which all trust in Protected Storage is predicated. 
RSA 

An (asymmetric) encryption method using two keys: a private key and a public key. Reference: 
http://www.rsa.com . 

SHA-1 

A NIST defined hashing algorithm producing a 160 bit result from an arbitrary sized source as specified in 
FIPS 180-1. Reference: http://csrc.ncsLnist.gov/cryptval/shs.html . 

Storage Root Key (SRK) 
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The root key of a hierarchy of keys associated with a TPM; generated within a TPM; a non-migratable 
key. 

Subsystem 

The combination of the TSS and the TPM. 
Support Services (TSS) 

Services to support the TPM but which do not need the protection of the TPM. The same as Trusted 
Platform Support Services. 

Trusted Building Block (TBB) 

A trusted Platform is instantiated as a Trusted Building Block (TBB) which is the evaluated component of 
a trusted system. The TBB is composed of the TPM, the Core RTM and the connection between them. 

TCPA-protected capability 

A function which is protected within the TPM, and has access to TPM secrets. 
TPM Identity 

One of the anonymous PKI identities belonging to a TPM; a TPM may have multiple identities. 
TPM POST 

TPM POST refers to the Power On Self Test performed by a TPM. 
Trusted Platform Agent (TP A) 

Trusted Platform Agent; the component within the platform that reports integrity metrics, logs, Validation 
Data, etc. to a Challenger; outside the scope of this specification. 

Trusted Platform Measurement Store (TPMS) 

Storage locations within the Subsystem, which contain unprotected logs of measurement process. 
Trusted Platform Module (TPM) 

The set of functions and data that are common to ail types of platform, which must be trustworthy if the 
Subsystem is to be trustworthy; a logical definition in terms of protected capabilities and shielded 
locations. 

Trusted Platform Support Services (TSS) 

The set of functions and data that are common to all types of platform, which are not required to be 
trustworthy (and therefore do not need to be part of the TPM). 

User 

An entity that uses the platform in which a TPM is installed. The only rights that a User has over a TPM 
are the rights given to the User by the Owner. These rights are expressed in the form of authorization 
data, given by the Owner to the User, that permits access to entities protected by the TPM. The User of 
the platform is not necessarily the "owner" of the platform (e.g., in a corporation, the owner of the platform 
might be the IT department while the User is an employee). There can be multiple Users. 

Validation Credential 

A credential that states values of measurements that should be obtained when measuring a particular 
part of the platform when the part is functioning as expected. 

Validation Data 

Data inside a Validation Credential; the values that the integrity measurements should produce when the 
part of a platform described by the Validation Credential is working correctly. 

Validation Entity 
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An entity that issues a Validation Certificate for a component; the manufacturer of that component; an 
agent of the manufacturer of that component. 

Volatile 

Storage locations or memory that are either set to a predefined value (e.g.,zero) or have values that are 
undefined upon completion of a power-on or TPMJnit function. 
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Appendix B: Key Usage Table 



This table summarizes the types of keys associated with a given TPM command. 





Section 


Name 


First Key 


Second Key 


First Key 

Z DC 2 X Z a 
& O UJ CO uu 

=5feS3 Ij 


Second 
Key 

2 IT 5 X 2 
OT CO == < - 1 


5.6.1 


TPM_ChangeAuth 


parent 


blob 




X 




XXX XX 


5.2.5 


TPM_OSAP 


entity 






X X X X X X 




5.7.1 


Tp M_ Chang eAuthAsymSt art 


idKey 


ephemeral 




X 




X 


5.7.2 


TPM ChangeAuthAsymFinish 


parent 


ephemeral 




X 




X 


6.3.3 


TPM__Quote 


key 






X X 


X 




7.2.1 


TPM__Seal 


key 






X 






7.2.2 


TPM__Unseal 


parent 






X 






7.2.4 


TPM__UnBind 


key 






X 


X 




7.2.5 


TPM_ CreateWrapKey 


parent 






X 






7.2.8 


TPM_LoadKey 


parent 


inKey 




X 




XXX XX 


7.2.10 


TPM_Ge t PubKey 


key 






X X X X X 


X 




7.2.11 


TPM_Crea t eMigrat ionBl ob 


parent 


blob 




X 




XX XX 


7.2.12 


TPM_Conve r t Mi gr a t i onBl ob 


parent 






X 






8.3.1 


TPM_Cert i f yKey 


certKey 


inKey 




X X 


X 


XXX XX 


8.7.1 


TPM_Sign 


key 






X 


X 




8.9.2 


TPM_CertifySelf Test 


key 






X X 


X 




8.11.2 


TPM_GetCapabilitySigned 


key 






X X 


X 




8.12.2 


TPM_GetAuditEventSigned 


key 






X X 


X 




9.3.4 


TPM_Activate Identity 


idKey 






X 
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